Ruftar doesn’t slow down

The first sample of this huge ISF (information stealing family) of Trojans has been received from our customers at the year of 2011. Since then multiple variants of this family have been released, but most of them have been successfully detected by our product and system infection has been prevented.

It has been three years already and we still receive reports about new variants of the same family, which compromise Windows OS. So, at this moment, this family of very dangerous Trojans and is still very much active. On top of all this: some variants of this Trojan family are very different  from others, the functionality of new variants not only updated with new additions, but smoothly changed. Moreover, infections have been distributed globally. But, the main purpose of all samples has not changed. The Trojans steal and post to remote server any sensitive information (basically any information) from infected system. Usually this information will be: User credentials from almost all spectrum of internet browsers, from various Windows applications (ftp programs, emails) and from the OS itself are getting stolen.

The main problem and the reason why we call this infection dangerous is that many variants of Win32/Ruftar attempts to download and install other Malware on affected system and modify system files drastically, so upon removing infection the system will be seriously damaged. This makes system cure very complicated and in some cases impossible.

Except stealing, various malicious techniques are used by variants of Win32/Ruftar family:

  • Keylogging
  • Backdoor activities
  • Downloading other malware
  • Stopping and sometimes damaging computers security programs (anti-virus, firewall etc)
  • Blocking computer security related sites
  • Redirecting various internet sites to malicious sites
  • Configuring settings on any browsers and Windows applications
  • Display pop app messages on screen
  • Unexpected stoppage of applications

How does Ruftar Trojans distribute?

In addition to “usual” Trojan distribution by malicious emails and sites, Ruftar may be part of harmless applications downloaded from the internet. It could be packaged with on-line games installations. It is a good time to remind user not to download applications from untrusted sites, nor clicking unsafe links.

Also, the obvious recommendation will be to pay attention to all activities on your system. For example: unexpected popup messages, system hang-ups,  system slowdown, computer security tools activities (may be suspicious, like absence of updates and deactivation), other applications slowdown and unexpected behavior, system scanning without any expectation and permission.

Once executed this Trojan creates a folder with various names, in this case it was “sabotage”

Two files will be created in this folder – these are encrypted log files that contain all ‘stolen’ information from the system:

Filenames: “11-11-2013” is current date and “06-50-53” is current time, other four characters are random.

After sending these reports out the Trojan usually deletes these reports and itself, moving itself to another folder and modifying registry key in order to run each time Windows restarts.

In most cases the system will become very slow until crashes.