Trend Micro - Securing Your Journey to the Cloud Business
Support
Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

How to mitigate BKDR_BAYROB using TrendMicro Products

    • Updated:
    • 27 Sep 2016
    • Product/Version:
    • Deep Discovery 3.0
    • Deep Discovery Analyzer 5.5
    • Deep Discovery Email Inspector 2.5
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Web Security Virtual Appliance 3.1
    • InterScan Web Security Virtual Appliance 5.0
    • InterScan Web Security Virtual Appliance 5.1
    • InterScan Web Security Virtual Appliance 5.5
    • InterScan Web Security Virtual Appliance 5.6
    • OfficeScan 10.6
    • OfficeScan 11.0
    • ScanMail for Exchange 10.2
    • ScanMail for Exchange 8.0 2000/2003/2007
    • ScanMail for Lotus Domino 3.1 Linux
    • ScanMail for Lotus Domino 5.0 AIX
    • ScanMail for Lotus Domino 5.0 Windows
    • ScanMail for Lotus Domino 5.0 zLinux
    • Worry-Free Business Security Standard/Advanced 9.0
    • Platform:
    • N/A N/A
Summary

The BAYROB/NIVDORT malware arrives via spam email as an attachment and goes through two stages of infection. The first stage uses Domain Generating Algorithm (DGA) to download its updated copy that contains backdoor capability. The second stage of infection, downloads a bitcoin-miner on an infected machine.

BAYROB was first seen in 2007 stealing only eBay accounts until it evolved and appeared again in 2015 with its backdoor and Anti-AV capabilities. A resurgence in 2016 caused high volume of infections due to its mass mailing capabilities.

Below is a summary profile of this threat throughout the years of observation:

 200720152016
TARGETeBay AccountsHarvest bitcoin via coinminerStill being determined by looking for live C&C
URL Fixed malicious URLUses DGAUses DGA
STEALTH MECHANISMUses Kodak Viewer ExpressUses fake MP3 extensions and error messagesUses names as filenames (jewell.exe) and error messages
CAPABILITYInformation theftInformation theft, backdoor capabilities, may download other malware with other functionalities, clicker capabilitiesInformation theft, backdoor capabilities, may download other malware with other functionalities, mass mailing capabilities
DEFENSE NoneDisables AV via registry, disables firewall, terminates AV application including watchdogDisables AV via registry, disables firewall, terminates AV application including watchdog

For further information on BKDR_BAYROB variants that we have already detected, click here.

BAYROB Infection Chain

Click image to enlarge.

 
Make sure to always use the latest pattern available to detect the old and new variants of BKDR_BAYROB.
Details
Public

Solution Map

Major ProductsVersionsVirus PatternBehavior MonitoringWeb ReputationDCT PatternAntispam PatternNetwork Pattern
OfficeScan10.6 and above







Update Pattern via web console

Update Pattern via web console








Enable Web Reputation Service*

Update Pattern via web console
Not Applicable		Update Pattern via web console
Worry Free Business SuiteStandard

Not Applicable
Advanced/MSA
Update Pattern via web console
Hosted
Deep Security8.0 and above





Not Applicable		Update Pattern via web consoleNot ApplicableUpdate Pattern via web console
ScanMailSMEX 10 and later




Not Applicable

Update Pattern via web console


Not Applicable
SMD 5 and later
InterScan MessagingIMSVA 8.0 and above
InterScan WebIWSVA 6.0 and later
Deep DiscoveryDDI 3.0 and later

Not Applicable
Update Pattern via web console
DDAN
DDEI
 
Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.

Recommendations

Threat Report

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Update
Solution Id:
1112195
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.