Microsoft's release of its Malicious Software Removal Tool (MSRT) this August will include the Win32/Bafruz family, a backdoor Trojan that creates a peer-to-peer network of infected computers.
Bafruz's arsenal includes the ability to disable security and antivirus products, hijack social media accounts, launch DDoS attacks, perform Bitcoin-mining, and download malware
Bafruz's arsenal includes the ability to disable security and antivirus products, hijack social media accounts, launch distributed denial-of-service attacks (DDoS), perform Bitcoin-mining, and download malware, according to a blog post on the Microsoft Malware Protection Center.
When Bafruz targets security and antivirus products, alerts will appear in the system tray, posing as notifications from a user's actual security provider. These alerts tell users that a virus has been detected and recommend a reboot. Rebooting the computer allows Bafruz to remove components of the antivirus product from the system, fully disabling the product. Even if users choose not to reboot their system, Bafruz will eventually force a reboot.
Once the reboot is complete, an alert mimicking the security product Bafruz just disabled appears, saying the computer has entered "enhanced protection mode." According to Microsoft, Bafruz is currently able to download additional components and malware onto the computer through the peer-to-peer network running in the background.
System changes that could indicate the presence of Bafruz include btc_server.exe, client_8.exe and ddhttp.exe, according to Microsoft's encyclopedia entry on Win32/Bafruz. The antivirus products it targets include MacAfee Antivirus, Microsoft Defender, Norton Antivirus, and several versions of ESET and Kaspersky. Targeted social media sites include Facebook and VKontakte.
Microsoft recommends that users take several steps to guard their systems against a potential Bafruz threat. Prevention tips include keeping computer and antivirus software up to date, using strong passwords, and being cautious when opening attachments and visiting webpages.