FBI Issues New Warning on Old Malware: Beta Bot

FBI HQ
FBI HQ

Beta Bot is used by criminals, says the intelligence note, "to target financial institutions, e-commerce sites, online payment platforms, and social networking sites to steal sensitive data such as log-in credentials and financial information." It also blocks access to security websites and disables anti-virus programs.

A more detailed analysis of the bot was, however, published by Germany's G Data back in May. It said it had found Beta Bot advertised on an underground market for sale at less than €500. G Data describes most of the features of the bot ("different DOS-attack methods, remote connection abilities, form grabbers and other information stealing capabilities") as fairly standard; but highlights two specific features: the use of social engineering to trick the user into elevating the bot's system privileges; and the claimed ability to disable "nearly 30 security programs).

Different processes run with different privileges. A process with low privileges must have user permission to alter a process with high privileges (known as privilege elevation). Security products, such as anti-virus, run at the highest possible level because they operate deeply within the operating system. So, for Beta Bot to disrupt the user's security defenses, it must similarly be running at the highest level of privilege.

The malware uses social engineering to achieve this. It usurps the Windows User Account Control (UAC) dialog box, which pops up asking the user if he will allow the 'Windows Command Processor' to make changes. The problem here, as Michele Daryanani demonstrated in a paper titled Desensitizing the User: A Study of the Efficacy of Warning Messages, is that users frequently click through such warnings without paying sufficient attention.

But Beta Bot has another trick for the more cautious user. Before the UAC box appears, a 'Critical Disk Error' warning appears, suggesting that a corrupted folder needs to be restored. The subsequent UAC box is consequently expected and likely accepted; but what it actually does is escalate Beta Bot's priveleges to the level needed to block the anti-virus programs. If it succeeds in doing that, of course, the user has an infection that is difficult to find and remove.

The FBI's advice is to cleanse an infected system with a brand new anti-malware installation.  "Download the latest anti-virus updates or a whole new anti-virus program onto an uninfected computer, save it to a USB drive and load and run it on the infected computer. It is advisable to subsequently re-format the USB drive to remove any traces of the malware."

What’s Hot on Infosecurity Magazine?