Malware Pair Work in Tandem to Evade Removal

By | July 01, 2013

Posted in: Network Security Trends

Microsoft has identified two separate forms of malware that work together on an infected computer to make it far more difficult to remove them.

In a Malware Protection Center blog, Redmond anti-virus researcher Hyun Choi named the malware as Vobfus and Beebone.

What makes them particularly troublesome is that they download updated versions of each other on an infected computer; so if Vobfus is removed, Beebone will replace it with the latest version, and vice versa.

Hyun Choi described Vobfus, first discovered in September 2009, as a family of worms that spread via removable drives.  “Vobfus is downloaded by other malware; currently it’s being downloaded by Beebone downloaders,” he said. “Based on our observations, Beebone variants then download other variants of Vobfus, creating an infection cycle that means where you see one of these families, you’ll often see the other.”

He said the cyclical relationship between Beebone and Vobfus downloading each other was the reason Vobfus could appear extremely resilient to anti-virus products.

“Vobfus and Beebone can constantly update each other with new variants,” Hyun Choi said. “Updated anti-virus products may detect one variant present on the system; however, newer downloaded variants may not be detected immediately. A typical self-updating malware family that just updates itself can be remediated once it is detected, because once removed from the system it cannot download newer versions of itself. In the case with Vobfus, even if it is detected and remediated, it could have downloaded an undetected Beebone which can in turn download an undetected variant of Vobfus.”

He said Vobfus copied itself to the “user profile” folder and created a runkey to ensure it ran every time Windows started. “Finally, Vobfus contacts a command and control server to obtain encrypted instructions on where to download Beebone; Beebone subsequently downloads Vobfus, and a number of other threats.”

You May Also Be Interested In: