FBI Issues New Warning on Old Malware: Beta Bot
“The FBI is aware of a new type of malware known as Beta Bot,” it warns in an Internet Crime Complaint Center intelligence note. In reality Beta Bot has been operating since at least March; but is clearly now sufficiently active to come to the FBI’s attention.
Beta Bot is used by criminals, says the intelligence note, “to target financial institutions, e-commerce sites, online payment platforms, and social networking sites to steal sensitive data such as log-in credentials and financial information.” It also blocks access to security websites and disables anti-virus programs.
A more detailed analysis of the bot was, however, published by Germany’s G Data back in May. It said it had found Beta Bot advertised on an underground market for sale at less than €500. G Data describes most of the features of the bot (“different DOS-attack methods, remote connection abilities, form grabbers and other information stealing capabilities”) as fairly standard; but highlights two specific features: the use of social engineering to trick the user into elevating the bot’s system privileges; and the claimed ability to disable “nearly 30 security programs).
Different processes run with different privileges. A process with low privileges must have user permission to alter a process with high privileges (known as privilege elevation). Security products, such as anti-virus, run at the highest possible level because they operate deeply within the operating system. So, for Beta Bot to disrupt the user’s security defenses, it must similarly be running at the highest level of privilege.
The malware uses social engineering to achieve this. It usurps the Windows User Account Control (UAC) dialog box, which pops up asking the user if he will allow the ‘Windows Command Processor’ to make changes. The problem here, as Michele Daryanani demonstrated in a paper titled Desensitizing the User: A Study of the Efficacy of Warning Messages, is that users frequently click through such warnings without paying sufficient attention.
But Beta Bot has another trick for the more cautious user. Before the UAC box appears, a ‘Critical Disk Error’ warning appears, suggesting that a corrupted folder needs to be restored. The subsequent UAC box is consequently expected and likely accepted; but what it actually does is escalate Beta Bot’s priveleges to the level needed to block the anti-virus programs. If it succeeds in doing that, of course, the user has an infection that is difficult to find and remove.
The FBI’s advice is to cleanse an infected system with a brand new anti-malware installation. “Download the latest anti-virus updates or a whole new anti-virus program onto an uninfected computer, save it to a USB drive and load and run it on the infected computer. It is advisable to subsequently re-format the USB drive to remove any traces of the malware.”
[ED: Its a good idea to complete this step now, before any infection occurs, unless you have available a second computer that you are certain is not/cannot be infected. There is certain to be copycat trojans/malware based on the same social engineering methods to deactivate installed AV programs, and being prepared keeps you a step ahead!]
- FBI: “Beta Bot” malware kills your anti-virus and steals data (community.spiceworks.com)
- FBI warns “Beta Bot” malware can kill your anti-virus programs, steal data (aconservativeedge.wordpress.com)
- FBI Warning Users About Beta Bot Malware (threatpost.com)