Summary
The BAYROB/NIVDORT malware arrives via spam email as an attachment and goes through two stages of infection. The first stage uses Domain Generating Algorithm (DGA) to download its updated copy that contains backdoor capability. The second stage of infection, downloads a bitcoin-miner on an infected machine.
BAYROB was first seen in 2007 stealing only eBay accounts until it evolved and appeared again in 2015 with its backdoor and Anti-AV capabilities. A resurgence in 2016 caused high volume of infections due to its mass mailing capabilities.
Below is a summary profile of this threat throughout the years of observation:
| 2007 | 2015 | 2016 | |
|---|---|---|---|
| TARGET | eBay Accounts | Harvest bitcoin via coinminer | Still being determined by looking for live C&C |
| URL | Fixed malicious URL | Uses DGA | Uses DGA |
| STEALTH MECHANISM | Uses Kodak Viewer Express | Uses fake MP3 extensions and error messages | Uses names as filenames (jewell.exe) and error messages |
| CAPABILITY | Information theft | Information theft, backdoor capabilities, may download other malware with other functionalities, clicker capabilities | Information theft, backdoor capabilities, may download other malware with other functionalities, mass mailing capabilities |
| DEFENSE | None | Disables AV via registry, disables firewall, terminates AV application including watchdog | Disables AV via registry, disables firewall, terminates AV application including watchdog |
For further information on BKDR_BAYROB variants that we have already detected, click here.
Click image to enlarge.
Make sure to always use the latest pattern available to detect the old and new variants of BKDR_BAYROB.
Details
Solution Map
| Major Products | Versions | Virus Pattern | Behavior Monitoring | Web Reputation | DCT Pattern | Antispam Pattern | Network Pattern |
|---|---|---|---|---|---|---|---|
| OfficeScan | 10.6 and above | Update Pattern via web console | Update Pattern via web console | Enable Web Reputation Service* | Update Pattern via web console | Not Applicable | Update Pattern via web console |
| Worry Free Business Suite | Standard | Not Applicable | |||||
| Advanced/MSA | Update Pattern via web console | ||||||
| Hosted | |||||||
| Deep Security | 8.0 and above | Not Applicable | Update Pattern via web console | Not Applicable | Update Pattern via web console | ||
| ScanMail | SMEX 10 and later | Not Applicable | Update Pattern via web console | Not Applicable | |||
| SMD 5 and later | |||||||
| InterScan Messaging | IMSVA 8.0 and above | ||||||
| InterScan Web | IWSVA 6.0 and later | ||||||
| Deep Discovery | DDI 3.0 and later | Not Applicable | Update Pattern via web console | ||||
| DDAN | |||||||
| DDEI |
Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.
Recommendations
- Recommendations on how to best protect your network using Trend Micro products
- Submitting suspicious or undetected virus for file analysis to Technical Support
