ESET Uncovers Win32/Georbot - Information Stealing Trojan and Botnet Spreading in Georgia

Pierre-Marc Bureau
Pierre-Marc Bureau
  • Pierre-Marc Bureau
    Pierre-Marc Bureau
    Pierre-Marc Bureau
    Pierre-Marc Bureau
  • Righard Zwienenberg
    Righard Zwienenberg
    Righard Zwienenberg
    Righard Zwienenberg

SAN DIEGO, CA--March 21, 2012 – ESET today revealed its analysis of Win32/Georbot, an information stealing trojan and botnet spreading in the country of Georgia.  Earlier this year ESET’s global research team uncovered Win32/Georbot, a botnet that has some very interesting communication features. Amongst other activities, it tries to steal documents and certificates, is capable of creating audio and video recordings, and can browse a local network for information. 

Interestingly, it uses a Georgian governmental website to update its command and control a(C&C) information and thus ESET researchers believe that Win32/Georbot is targeting computer users in Georgia. Another unusual characteristic of the malicious program is that it looks for “Remote Desktop Configuration Files” and thereby enables attackers stealing these files to upload them to remote machines without exploiting any vulnerability. What is more worrying is that the development of this malware is ongoing; ESET found fresh variants in the wild as recently as March 20, 2012. 

“This does not automatically mean that the Georgian government is involved. Quite often people are not aware their systems are compromised,” said Pierre-Marc Bureau, ESET security intelligence program manager. “It should be also noted that the Data Exchange Agency of the Ministry of Justice of Georgia and its national CERT were fully aware of the situation as early as 2011 and, parallel to their own – still ongoing – monitoring, have cooperated with ESET on this matter. Of all the infected hosts, 70 percent were located in Georgia followed by the United States, Germany and Russia.” 

ESET’s researchers were also able to get access to the bot’s control panel yielding clear details about the number of affected machines, their location and possible commands. The most interesting information found on the control panel was a list with all the keywords that were targeted in documents on infected systems. Among the English-language words were: ministry, service, secret, agent, USA, Russia, FBI, CIA, weapon, FSB, KGB, phone and number. 

“The functionality to record video via the webcam, take screenshots, and launch DDoS attacks was used a couple of times,” said Bureau. “The fact that it uses a Georgian website to update its C&C information, and that it probably used the same website to spread, suggests that people in Georgia might be a primary target.” 

On the other hand, the level of sophistication for this threat is low. ESET researchers think that if this operation were sponsored by a state, it would be more professional and stealthy. The most likely hypothesis is that Win32/Georbot was created by a group of cyber criminals trying to find sensitive information in order to sell it to other organizations. 

“Cybercrime is becoming more professional and targeted with the larger players entering the field. Win32/Stuxnet and Win32/Duqu are examples of high tech cybercrime and served a specific purpose, but also the less sophisticated Win32/Georbot still has new unique features and methods to get to the core of what the creators are after,” said Righard Zwienenberg, senior research fellow at ESET. “With Win32/Georbot there is lots of specific information and access to systems - hence the search for Remote Desktop Configuration Files.” 

ESET’s full research findings on the Win32/Georbot can be found on the ESET Threat Blog at: http://blog.eset.com/2012/03/21/win32georbot-information-stealing-trojan-botnet-from-georgia-with-love

 About ESET

ESET is on the forefront of security innovation, delivering trusted protection to make the Internet safer for businesses and consumers. IDC has recognized ESET as a top five corporate anti-malware vendor and one of the fastest growing companies in its category. Trusted by millions of users worldwide, ESET is one of the most recommended security solutions in the world. ESET NOD32 Antivirus consistently achieves the highest accolades in all types of comparative testing, and powers the virus and spyware detection in ESET Smart Security and ESET Cybersecurity for Mac. Sold in more than 180 countries, ESET’s global headquarters is in Bratislava, Slovakia, with distribution headquarters for North America located in San Diego, California. ESET also has offices in Buenos Aires, Prague, Krakow and Singapore and is represented by an extensive global partner network. For more information, visit http://www.eset.com/us or call +1 (619) 876-5400.