Symantec documents an advanced and highly stealth File Infector that can setup a botnet client on an infected PC

Xpaj Botnet Intercepts up to 87 Million Searches per Year

QUOTE: W32.Xpaj.B is one of the most complex and sophisticated file infectors Symantec has encountered. In an older blog post, Piotr Krysiuk calls it an “upper crust file infector.” He describes several different approaches that the infector uses to increase the difficulty in detecting infected samples. The techniques W32.Xpaj.B uses to conceal itself within an executable are far beyond the norm.

The analysis revealed IP addresses for the command & control (C&C) servers. Infected W32.Xpaj.B executables send a download request to these C&C servers. Analysis of the threat’s backend control infrastructure revealed more than just the data sent from the server to infected clients. The servers contained encrypted binary data, encryption keys, databases, and Web applications. These were all elements of what transpired to be a fraud operation spread over multiple computers hosted in several countries.