1. Symantec/
  2. Security Response/
  3. Trojan.Downbot


Risk Level 1: Very Low

May 24, 2011
May 24, 2011 1:12:48 PM
Also Known As:
Troj/Dalbot-A [Sophos]
Systems Affected:
CVE References:
CVE-2009-3129, CVE-2011-0611
Trojan.Downbot is a Trojan that is implicated in a widely reported series of targeted attacks collectively known as "Operation Shady RAT".

These attacks were initially reported in the media on August 2nd, 2011 when McAfee published a report about an attack dubbed "Operation Shady RAT". The report described a series of attacks which had been occurring for over five years against over seventy organizations. The targets ranged from private companies to government agencies located worldwide. They speculated that these attacks were aimed at stealing highly sensitive and proprietary information belonging to these organizations and may potentially be state sponsored.

These targeted attacks typically consisted of three stages:
  • Targeted email to individuals within targeted organizations
  • Initial infection
  • Opening of a back door

Targeted emails
Target organizations are selected and then emails are crafted and sent to selected individuals within those organizations. The emails follow the typical targeted attack modus operandi - that is they contain some subject or topic that may be of interest to the recipient, such as rosters, contact lists, budgets, and so forth. The attached file contains the details promised in the email text, as part of a social engineering ploy. The attached files are typically Microsoft Office files such as Word documents, Excel spreadsheets, PowerPoint presentations, and PDF documents have also been used. These files are loaded with exploit code, so that when the user opens the file, the exploit code is executed resulting in the computer becoming compromised.

When one of these attachments are opened, for example an Excel spreadsheet, a clean copy of a spreadsheet file is dropped and opened so that the user is not suspicious. The Trojan is also dropped and executed. One possible tell-tale sign of an exploit taking place is that the application may appear to hang for a short time before it resumes, and the application may even crash and restart.

Once the Trojan is installed, it attempts to contact a remote site that is hard-coded into the Trojan itself. The remote sites used have been either attacker controlled sites made to look like code tutorial web sites or hacked web sites. These sites are used to host command and control configuration files for the Trojan. At first glance, these web sites do not appear contain anything malicious. On closer inspection of the HTML and image files, some of them are found to contain specially formatted and encoded comments in HTML files or extra bytes in image files. This is an interesting ploy used by the attackers to hide the commands as many firewalls are configured to allow image and HTML files to pass through as HTTP traffic. Without close inspection, based on the context provided by studying the Trojan in detail, these images and HTML files look completely legitimate.

The commands are encrypted and hidden in HTML comments that are further encoded. While these commands are clearly visible to a user if they view the HTML code in a text editor, they look completely harmless, and indeed are harmless unless the file is parsed by the Trojan on a compromised computer. The commands may be one of the following:
  • Download and execute a file on the compromised computer
  • Sleep for a specified amount of time
  • Connect to a remote IP on a specified port

The final command is really useful from the attacker’s point of view, since it opens a direct connection to the specified IP address through the specified port number. When the Trojan connects to a remote computer it establishes a remote shell with the computer. This enables the attacker at the remote site to directly issue shell commands to be run on the compromised computer.

Next, the Trojan periodically checks with the remote server and allows a attacker to perform any of the following commands:
  • Retrieve a file from the remote server
  • Upload a file to the remote server
  • Retrieve a file from a remote URL and execute it
  • Send a command from the remote server
  • Send the results of the command executed above to the remote server to report the status

This small collection of commands is enough for an attacker to stage a comprehensive breach into the affected organization. Any functions not available to the attacker in the Trojan itself can be easily downloaded onto the compromised computer and executed at will. Collected data is then simply uploaded back to the remote attacker.

The following content is provided by Symantec to protect against this threat family.

Antivirus signatures

Antivirus (heuristic/generic)
  • None

Intrusion Protection System

Antivirus Protection Dates

  • Initial Rapid Release version May 24, 2011 revision 008
  • Latest Rapid Release version March 23, 2017 revision 037
  • Initial Daily Certified version May 24, 2011 revision 018
  • Latest Daily Certified version March 23, 2017 revision 041
  • Initial Weekly Certified release date May 25, 2011
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Éamonn Young and Eoin Ward

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube