Symbiotic malware work together to avoid anti-virus detection

Microsoft researcher Hyun Choi has noted a form or resurgence lately. Vobfus was initially discovered in September 2009 and became prevalent with its use of the MS10-046 .LNK vulnerability, he said, although it’s moved on to using more current vulnerabilities now.

Vobfus is a family of worms that spreads via removable drives and network mapped drives. “The name Vobfus comes from the characteristics that these worms are Visual Basic and obfuscated,” he said. “Vobfus is a Visual Basic malware compiled either in p-code (pseudo code) or native code. The obfuscation of the malicious payload of Vobfus started with simple string manipulation, and it has evolved to a more complex string decoding.”

It has a close relationship with Beebone, a family of Visual Basic-compiled trojan downloaders that is known to download threats from a range of families, including Vobfus, Zbot, Sirefef, Fareit, Nedsym and Cutwail. In turn, once executed, Vobfus contacts a command-and-control server to obtain encrypted instructions on where to download Beebone to other networked machines.

“Based on our observations, Beebone variants then download other variants of Vobfus, creating an infection cycle that means where you see one of these families, you'll often see the other,” Choi said.

That cyclical relationship is the reason why Vobfus may seem so resilient to anti-virus products, he added. “Vobfus and Beebone can constantly update each other with new variants,” he explained. “Updated antivirus products may detect one variant present on the system; however, newer downloaded variants may not be detected immediately. A typical self-updating malware family that just updates itself can be remediated once it is detected, because once removed from the system it cannot download newer versions of itself. In the case with Vobfus, even if it is detected and remediated, it could have downloaded an undetected Beebone which can in turn download an undetected variant of Vobfus.”

In a network environment with mapped network usage or data-sharing via removable drives, Vobfus can spread by copying itself and an autorun.inf file in the infected drive.

“Furthermore, because of all the companion malware families that are downloaded by Beebone, the cumulative side-effects of all the malware families are present in infected machines,” Choi concluded.

Users should as always use caution when clicking external links, and keep one’s browser and all other installed software up to date to help prevent software exploits. Another possible method of prevention is disabling autorun functionality.

What’s Hot on Infosecurity Magazine?