For a long time if you visited a Chineseantivirus forum you see people crying that they are infected withGraybird. There are two popular topics in Chinese forums that representthe two sides of the coin: Guides to deploy Graybird on the one handand tips to get rid of it on the other.
So what is Graybird and how did it get started? Graybird was firstcreated in 2001. Initially it was for research purposes and was opensource. From early 2003 the author set up Gray Pigeon Studio thatdeveloped and sold Graybird. The studio stated that Graybird is aremote administration tool and sold it for 100 Chinese Yuan a year.Functions of this so-called remote administration tool include:
• Capture screenshots
• Turn on a Webcam
• Log keystrokes
• Steal passwords
• Access all files on the victim's machine
Unlike other remote administration tools, it apparently tries to runwithout the user’s knowledge; it does not display an icon or output anymessages while running. It can be configured so that it is injectedinto other running processes and to masquerade as the icon of otherapplications. It even uses rootkit technology to hide its presence. Allthese features make it a perfect back door candidate. As it candisguise itself and is easy to use, even a person with little networkknowledge can create a back door and take control of other people’scomputers (See the previous blog entry “30 Second Backdoor”for more details). The Graybird has become a big threat to Internetusers. Most AV vendors treat it as a Trojan horse - Symantec named it Backdoor.Graybird.
Graybird has been ranked in the top 10 viruses in China for over 3years. When the studio released the latest version in February 2007, itaroused wide-spread anger amongst Chinese Internet users. The studiomade an announcement on the 21st of March that they are disappointedthat their product is being misused and decided to terminatedevelopment of Gray Pigeon, which is good news. However, it is hard tosay whether the treat will disappear any time soon. There are stilllots of sourced codes and construction kits available in the wild andhence we are still seeing new variants of Backdoor.Graybird.The Studio provided an “uninstaller” on their homepage at the same timethey made the announcement to discontinue development but our testingdiscovered that the ability of this uninstaller to remove Graybird isvery limited. So Symantec advises that user’s do not click on links orexecute files unless they are from trusted sources and update theirantivirus products with the latest available definitions from Symantec.