In November of 2012, ESG security researchers received news of a dangerous backdoor Trojan that seems to be connected to the infamous Gh0st remote access Trojan. It is clear that Backdoor.ADDNEW is based on DaRK, a malware infection used to carry out DdoS (Distributed Denial of Service) attacks, which was created in the Russian Federation. However, it seems that Backdoor.ADDNEW has several connections with Gh0st that have caught the attention of PC security researchers.
Backdoor.ADDNEW's Connection with the Gh0st Remote Access Trojan and Gh0stNet
Gh0st is a remote access Trojan that is associated with a large malware network known as Gh0stNet that uses servers located in China. Most computers that become a part of this vast network of infected computers become infected from spam email attachments that are Trojans capable of downloading and installing the Gh0st remote access Trojan on the victim's computer. Typically, a social engineering attack allows criminals to install a rootkit and a backdoor Trojan on the victim's computer which is then used to install the remote access component. These malware attacks have long been believed to have some association with the Chinese government due to their use in attacks against the Dalai Lama and organizations that support the Free Tibet movement. The main reason why PC security researchers have been surprised by Backdoor.ADDNEW is that Backdoor.ADDNEW tends to coexist with the Gh0st remote access Trojan on infected computers. It even uses the same command and control IP address as variants of Gh0st to connect to a command and control server located in France.
The main functions associated with the Backdoor.ADDNEW Trojan include stealing passwords stored by Firefox, using the infected computer to carry out DdoS attacks in combination with other infected computers and typical functions of the most common remote access Trojans. Computers infected with Backdoor.ADDNEW will often become infected with Gh0st within a few days of becoming infected with the Backdoor.ADDNEW Trojan, indicating that these two malware infection complement each other and work together in some way. However, PC security researchers still need to examine the code for Backdoor.ADDNEW, DaRK and Gh0st carefully, a task that is not easy considering how heavily obfuscated these kinds of malware infections tend to be. One measure to protect yourself from a Backdoor.ADDNEW infection is to use a strong anti-spam filter to prevent phishing emails containing this malware threat to find their way to your email inbox.