Symbiotic relationship ensures malware persistence
Posted on 01.07.2013
If your antivirus solution detects the Vobus worm and downloader on your computer, chances are good that the machine also houses the Beebone downloader, Microsoft researcher Hyun Choi warns.

Both downloaders are Visual Basic malware, and have entered into a symbiotic relationship to ensure that a newer and undetectable variant of one or the other malware always remains on the target computer and continues the circle of infection.

The initial infection often starts with Vobius, whose worm-like nature allows it to spread via removable drives and network mapped drives.

"It copies itself to these drives with a random name, or not-so-random file name such as passwords.exe, porn.exe, secret.exe, sexy.exe, subst.exe, video.exe," the researcher explains. It then does the same to the %userprofile% folder, and finally contacts a C&C server to obtain encrypted instructions on where to download Beebone.

Beebone - a downloader in its own right - then contacts its own C&C and downloads a slew of malware including Vobfus, Zbot, Sirefef, Cutwail, and others.

Then, once again, Vobfus does its drive infection trick and downloads a newer version (if there is one) of Beebone, and so on.

"This cyclical relationship between Beebone and Vobfus downloading each other is the reason why Vobfus may seem so resilient to antivirus products," says Choi.

"A typical self-updating malware family that just updates itself can be remediated once it is detected, because once removed from the system it cannot download newer versions of itself. In the case with Vobfus, even if it is detected and remediated, it could have downloaded an undetected Beebone which can in turn download an undetected variant of Vobfus."

According to Microsoft research, Vobfus maintains a very successful removable-drive infection rate in the wild.

Choi advises users to keep their AV solutions, OS, browsers and other software updated, and to be cautious when clicking on external links.





Spotlight

Android Fake ID bug allows malware to impersonate trusted apps

Posted on 29 July 2014.  |  Bluebox Security researchers unearthed a critical Android vulnerability which can be used by malicious applications to impersonate specially recognized trusted apps - and get all the privileges they have - without the user being none the wiser.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Jul 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //