NEWS FROM THE LAB - Monday, March 21, 2011

Roundhouse Kick Time Posted by Mikko @ 14:40 GMT

Chuck Norris kicks ass. We all know that. Malware authors know this too.
roundhouse kick!
In fact, we've seen multiple worms and trojans over the years that make references to Chuck Norris. Probably the best example is the Chuck Norris Router Worm from last year.

While browsing through incoming malware, we noticed this little fellow
(md5 66b06adc178d17a7b42301e845eed84d). A botnet client, capable of taking over the computer and allowing full remote access to the infected system.

As usual, it requires a server to connect to. Name of the server? chucknorris.zapto.org. The bot also registers itself in registry under hkcu\software\chuck norris. We detect it as Backdoor:W32/Spyrat.D. Here's a description.

We looked this a bit deeper and it turns out to be generated with a tool called "CyberGate". Here's what the CyberGate control panel looks like.