Backdoor Buterat, a multipurpose trojan

The backdoor trojans from Buterat(Butirat according to Dr.Web security vendor) family appear two years ago on the scene and was improved by its creators with each version. The latest version added new features as self modifying the data in the PE header(the executable file first bytes) in order to modify its hash. This renders unusable or better said ineffective the identification based on file hashes and antivirus detection based on files signature is deceived packing the malware with modified version of UPX. More, it was added the capability to intercept the traffic generated by the main browsers(Internet Explorer, Mozilla Firefox, Opera) especially the requests sent to search engines like Google, Yahoo, Bing, Yandex and to perform malicious redirects to websites provided by the attackers. We can see also a fraud attempt against advertising companies or banner exchange networks with its ability to generate fake banner clicks.

Of course, the Buterat trojan mission does not end here, the main computer trojans features are not missing, more malware can be downloaded or uploaded by the attacker into the infected computer, remote commands can be executed via Command & Control server, leading very shortly to a totally compromised computer which mean in fact that all the online accounts of the user(aka. victim) are compromised.

The Buterat trojan make its début into the target computer as a file with random name which when it is executed unwittingly by the user drops a file named netprotocol.exe in the folder:

C:\Documents and Settings\Administrator\Application Data\netprotocol.exe

The analysis is performed using a Windows XP machine, for a Windows 7 system the corresponding folder is :

C:\Users\ Your User Name \AppData\Roaming

Another executable is dropped into the same folder once netprotocol.exe is automatically executed:  netprotdrvss.exe along with System.log file. Also the file netprotocol.exe is copied into:

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\random_name folder

Buterat trojan assure its autostart by writing an entry in the registry key:


with value, you guess:

C:\Documents and Settings\Administrator\Application Data\netprotocol.exe

As HTTP traffic generated by the malware were noticed connections to two domains:


The malware modifies the security settings of Internet Explorer drastically diminishing the safety of Web surfing. The recommendations available to avoid infections with Buterat computer trojans are generated by the common sense:

  • Avoid to download and execute files provided by the untrusted sources
  • Keep your antivirus and your system up-to-date

Keep safe !

Posted in Thoughts.

Leave a Reply