This month we add another bot to the MSRT family list – Win32/Cycbot
. Cycbot was discovered in August 2010 and has quickly become prevalent.
It seems that Cycbot’s creators called it “Gbot”, as it used this name as an identifier in the reports it would send back to its controllers. Recent variants of the malware have stopped using this identifier, possibly in an attempt to make detection more difficult, but the functionality hasn’t changed much. All of Cycbot’s communications are done using HTTP, including the retrieval of backdoor commands. As a backdoor, it’s functionality is limited to capabilities like updating itself and downloading and running other malware; we’ve seen it download Rogue:Win32/FakePAV
in the past. Its main purpose, however, is more subtle.
Cycbot sets itself up as an HTTP proxy for any machine it affects. It does this by listening on a TCP port such as 54141 (this number varies), and then changing the browser’s proxy settings to point to this port on the local host. It can do this for Internet Explorer, Firefox and Opera.