BKDR_BERBOT.XMPP
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This backdoor may arrive bundled with malware packages as a malware component. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It executes commands from a remote malicious user, effectively compromising the affected system.
It steals certain information from the system and/or the user.
TECHNICAL DETAILS
Arrival Details
This backdoor may arrive bundled with malware packages as a malware component.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Backdoor Routine
This backdoor executes the following commands from a remote malicious user:
- Execute system command
- Open file
- Delete file
- Upload file
- Download file
- Get network information
- List directory content
- Terminate itself
Information Theft
This backdoor steals the following information:
- OS Version
- Module Version
- MAC Address
- Computer Name
- Volume Information
- User Name
NOTES:
This backdoo communicates to jabber-br.org using a hardcoded user account as its C&C server. It uses XMPP protocol in the communication.
This is the format of how it sends the stolen information:
type="0"
id="8dcb59505a">
Zbody>SISTEMA DE 32 BITS
Plugin RED......: NAO
Plugin GB.......: NAO
Os..............: {OS Version}
Versao Mudulo ..: {Module Version}
Mac Aderess.....: {MAC Address}
Computador......: {Computer Name}
Volume..........: {Volume Information}
Usuario.........: {User name}
1.0.0.16