Win32/Cycbot (Gbot) Quickly Become Prevalent, Microsoft

Microsoft warns us about a new bot called Win32/Cycbot, also called as "Gbot".All of Cycbot's communications are done using HTTP, including the retrieval of backdoor commands. Cycbot sets itself up as an HTTP proxy for any machine it affects. It does this by listening on a TCP port such as 54141 (this number varies), and […]

Microsoft warns us about a new bot called Win32/Cycbot, also called as "Gbot".

All of Cycbot's communications are done using HTTP, including the retrieval of backdoor commands. Cycbot sets itself up as an HTTP proxy for any machine it affects. It does this by listening on a TCP port such as 54141 (this number varies), and then changing the browser's proxy settings to point to this port on the local host. It can do this for IE, Firefox and Opera.

Cycbot HTTP proxy

By acting as proxy, Cycbot can intercept all HTTP traffic to and from the browser, which enables it to direct your browser wherever it wants. At best, this'll lead to an advertisement unrelated to what you were searching for; however, often it leads to more malware. Right now, several of the "search" results that Cycbot loads attempt to install malware, including one page that looks quite familiar.

Cycbot malware

Cycbot is a type of "intermediate" malware -- a means to an end, in many ways reminiscent of Win32/Renos. Controlling the browser can provide its creators with diverse ways of exploiting an affected user, while causing the user various kinds of pain.

[tags]cycbot,http,proxy[/tags]

[Source]