There is a nice and simple write up on Microsoft’s MSRT page regarding Cycbot, discovered in August 2010 and quickly becoming prevalent. This malware agent is interesting, all of Cycbot’s communications are done using HTTP, including the retrieval of commands. It’s command set is limited to updating itself, downloading, and running other malware. Its main purpose, however, is more subtle.
Cycbot sets itself up as an HTTP proxy on any machine it affects by listening on a TCP port such as 54141 (number varies), and then changing the browser’s proxy settings to point to this port on the local host. It can do this for Internet Explorer, Firefox and Opera. By acting as proxy, Cycbot intercepts all HTTP traffic to and from the browser, redirecting your browser to wherever it wants. For example, it will take a search term you enter into your search engine and pass it to an imitation search site that directs you to anywhere that pays them money for the referral. At best, this will lead to an advertisement unrelated to your search; more often it leads to more malware… Read the article.