Backdoor.Pirpi

Pirpi is a Remote Access Trojan or RAT, which has been prevalent for several years, but recently has been the focus of a new e-mail campaign to distribute updated variants of its software. Internet Explorer users are particularly vulnerable to the attacks that install Pirpi, which allows third parties to gain high access to a computer, leading to the possible loss of information or the installation of other threats. Since Pirpi's symptoms may be minimal, malware experts recommend anti-malware tools for detecting or removing Pirpi, along with the standard browser precautions that can hinder its installation exploits.

When April Showers Include a Rain of Trojans

Pirpi is a modestly successful collection of multiple-component backdoor Trojans, including updates throughout the years to improve its attack functions or hinder its deletion. While some may think of Pirpi as 'old news,' Pirpi achieved fresh news headlines with a late 2014 April campaign using targeted e-mail attacks. These e-mail messages were designed to redirect high-value corporate targets to a corrupted website that exploited the CVE-2014-1776 vulnerability to install Pirpi. Notably, only Internet Explorer was affected by this attack, which used an exploit that, until recently, was a 'zero-day' vulnerability – a vulnerability without a security patch to remove it.

Some IE users might have taken the advice of malware experts and disabled risky browser settings, including Flash functionality and vector markup language support. Doing so may prevent this format of attack, although no defense can be considered a perfect one against all similar threat-installing exploits. PC users who did not do so were infected with Pirpi, a backdoor Trojan with broad functions that may include:

• Downloading files to your PC and launching them, including files that could install other threats.
• Uploading files from your PC, such as ones containing information.
• Redirecting your PC's network traffic.
• Issuing command line-based commands to your PC. These commands may be used to gather information or force the PC to perform self-destructive actions.

Based on its previous attacks, malware experts previously have linked Pirpi to attempts to collect information such as account passwords. To this end, Pirpi may install specialized spyware, including keyloggers, screen grabbers or tools that scan for passwords in desirable locations.

Keeping Your Browser from Exploring Its Way to a Trojan Attack

While Internet Explorer does not have a stellar reputation for security, those who do prefer it should stay abreast of critical updates, and should install the recently-released patch to remove the Pirpi campaign's exploit ASAP. Casual PC users have yet to be targeted by this campaign, which was launched at specific, potentially profitable entities. However, this attack is theoretically applicable to any Windows PC using IE 6 through 11, and Pirpi's attacks do not necessarily result in any visible display of symptoms.

The organization responsible for this recent spate of Pirpi distribution also is known for recurring threat campaigns against other government and corporate organizations. Although these entities would do well to consider their security with an especially critical eye (and prevent employees from opening blatantly compromised e-mail messages), casual PC users also are threatened by Pirpi's backdoor functions. Malware researchers recommend that PC users who manage to remove Pirpi from an infected PC with the proper anti-malware tools take into consideration all appropriate cleanup procedures, including changing any passwords that might have been stolen.

Technical Details