8 July the first removal of BackDoor-FGT happened just after midnight. We have had 966 so far. The folders the file is found in are dated over a month ago. Once removed, they do not come back, so this has hit quite a few PCs. My guess is it can work like a worm to infect PCs and it was just a newly released .dat file that could identify the malware.
Has anyone else encountered this malware?
Are your experiences similar?
It does not seem to have activated, just been located in many PCs.
I've seen this as well. We noticed it initially about 1.5 months ago. We submitted sample to McAfee a month ago, Extra.dat was tailored for a unique hash though, every file had a different hash so Extra.dat was useless. The introducation of BackDoor-FGT appears to have cleaned them all.
It appears to be what Symantec and others dub Trojan.Gatak (link), however only limited information on this appears to have made its way online. First instance, the variant that we saw uses tcp/443 for C&C. The infected files are googletalk.exe, Skype.exe, and AdVantage.exe all located in %UserProfile%\Application Data\%Foldername%. Startup registry keys similar to those in the Symantec article were created for each. C&C IPs are 220.127.116.11, 18.104.22.168, and one additional that I don't have documented. All C&C traffic is clear text over tcp/443. All C&C servers appear to be compromised web servers.
Any additional information McAfee would be helpful.Message was edited by: sports_is on 7/13/12 1:35:59 PM CDT
On about 7/3/2012, I submitted about 8 files, variously named skype.exe, googletalk.exe, and advantage.exe that I had found on our corporate network. I also found and submitted several of the actual droppers for the malware named now, Backdoor-FGT.
The C&C traffic may appear to be clear text, but it is encoded. When this malware originally installs, it makes a copy of the dropper and puts it into an encrypted file with no extension located in the c:\documents and settings\user\application data\microsoft directory in a random named folder ranging from about 3 to 6 characters in length. The file located in there is the encoded dropper, and is encoded with the same key as the C2 traffic.
I am still revering the code and the traffic, but it was definitely performing Man-in-the-Browser (MITB) attacks on my users attempts to log into their personal banking websites here in the USA.
I'm glad that this submission helped other companies as well.