Symbiotic relationship ensures malware persistence
Posted on 01.07.2013
If your antivirus solution detects the Vobfus worm and downloader on your computer, chances are good that the machine also houses the Beebone downloader, Microsoft researcher Hyun Choi warns.

Both downloaders are Visual Basic malware, and have entered into a symbiotic relationship to ensure that a newer and undetectable variant of one or the other malware always remains on the target computer and continues the circle of infection.

The initial infection often starts with Vobfus, whose worm-like nature allows it to spread via removable drives and network mapped drives.

"It copies itself to these drives with a random name, or not-so-random file name such as passwords.exe, porn.exe, secret.exe, sexy.exe, subst.exe, video.exe," the researcher explains. It then does the same to the %userprofile% folder, and finally contacts a C&C server to obtain encrypted instructions on where to download Beebone.

Beebone - a downloader in its own right - then contacts its own C&C and downloads a slew of malware including Vobfus, Zbot, Sirefef, Cutwail, and others.

Then, once again, Vobfus does its drive infection trick and downloads a newer version (if there is one) of Beebone, and so on.

"This cyclical relationship between Beebone and Vobfus downloading each other is the reason why Vobfus may seem so resilient to antivirus products," says Choi.

"A typical self-updating malware family that just updates itself can be remediated once it is detected, because once removed from the system it cannot download newer versions of itself. In the case with Vobfus, even if it is detected and remediated, it could have downloaded an undetected Beebone which can in turn download an undetected variant of Vobfus."

According to Microsoft research, Vobfus maintains a very successful removable-drive infection rate in the wild.

Choi advises users to keep their AV solutions, OS, browsers and other software updated, and to be cautious when clicking on external links.





Spotlight

The security threat of unsanctioned file sharing

Posted on 31 October 2014.  |  Organisational leadership is failing to respond to the escalating risk of ungoverned file sharing practices among their employees, and employees routinely breach IT policies.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 31st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //