Georbot

Posted: March 22, 2012

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	2/10
Infected PCs:	40

First Seen:	March 22, 2012
OS(es) Affected:	Windows

Georbot is a spyware Trojan that includes features that allow criminals to control your PC, steal files or peruse your personal information. Unusually for a Trojan, Georbot eschews the use of backdoor exploits, preferring to upload Remote Desktop Configuration files to its server so that hackers can acquire control without needing to use security exploits. Georbot is also notable for targeting Georgia-based victims, since almost all reports of infection by Georbot come from the country of Georgia, with other populous countries, such as the United States and Germany, being minorities. Although Georbot isn't a very advanced PC threat, its many features should be considered extreme violations of your computer's privacy and safety. As such, SpywareRemove.com malware analysts emphasize that Georbot should be detected and deleted by trustworthy anti-malware programs, particularly since Georbot is able to update its structure to avoid simplistic removal methods.

Georbot: a Trojan from Georgia with Loathing

Georbot is limited by primitive code obfuscation and morphing techniques that only allow Georbot a basic level of stealth and deletion-resisting measures that competent anti-malware products should be able to bypass. However, SpywareRemove.com malware researchers have noted cause to worry over Georbot's payload, which, despite its crudity, offers an almost unparalleled level of freedom for hackers that are interested in conducting Georbot-based attacks against infected computers. So far, these capabilities have extended to the following functions, although Georbot's development is still ongoing:

Georbot may use your PC to launch DDoS attacks and crash websites with botnet-based traffic floods.
Georbot may take and upload screenshots.
Georbot may record videos of your PC, potentially including your webcam usage.
Georbot can also monitor your audio, such as microphone input or your speaker sound system.
Georbot can scan text documents and certificates for information to steal. Current versions of Georbot, as of March 12th 2012, have an unusual focus on the following keywords: agent, CIA, FBI, FSB, KGB, phone, ministry, number, secret, service, Russia and weapon.
Georbot may also analyze your local networks for files of interest.

How to Block Georbot's Spy Campaign Out of Your PC

Even though a vast majority of Georbots victims are based in Georgia, some Gearbot attacks have also occurred in other countries, with current numbers estimated at thirty percent. Like most types of Trojans that are designed to compromise your computer and steal information, Georbot doesn't show symptoms other than any warnings that your anti-malware programs may display. As such, SpywareRemove.com malware analysts suggest that you keep anti-malware software active at all times to protect yourself from potential Georbot attacks. Removing Georbot may also require several attempts or increasingly severe security strategies, since Georbot does have a limited ability to change its code and avoid removal.

Georbot may also be identified as Win32/Georbot, and as this name implies, can only attack Windows computer. Although Georbot's Command & Control servers are based on Georgia government websites, the primitive nature of Georbot and the Georgian government's cooperation with relevant security companies leads most authorities to believe that this is a case of hackers, rather than governmental malevolence.

Georbot

Threat Metric

Georbot: a Trojan from Georgia with Loathing

How to Block Georbot's Spy Campaign Out of Your PC

Leave a Reply