July 1, 2013
Sophisticated Symbiotic Viruses Help Each Other Survive, Says Microsoft
Michael Harper for redOrbit.com - Your Universe Online
Microsoft has finally discovered what makes a pair of PC viruses so difficult to get rid of. According to Hyon Choi of Microsoft's Malware Protection Center, the viruses known as Vobfus and Beebone work in concert with each other to not only download newer variants of one another but also avoid most antivirus software. While some software is able to find and destroy one variant of one of the viruses, the second can automatically download another version which may go undetected. Once a computer is infected with one these sophisticated viruses, they can infiltrate mapped and removable drives as well, beginning the process once more.
Beebone and Vobfus are a type of malware virus known as a downloader. Once installed on a PC, they can begin reporting back to the command and control servers (C&C) and begin downloading other viruses. According to the Microsoft Malware Protection Center blog, Beebone has been downloading trojans like Zbot, Sirefef, Fareit, Nedsym and Cutwall in addition to Vobfus in the previous month.
Once Vobfus is installed, it acts like a worm and moves into mappable and removable drives like USB flash drives. It also makes several copies of itself on these drives, disguising itself with various file names. Choi says the security team has seen Vobfus disguise itself with names like "porn.exe," "Passwords.exe," or even "secret.exe." Once Vobfus has spread out to other drives and disguised itself, it then begins to report to its C&C to download different and newer versions of Beebone, beginning the process all over again.
"So, to recap, where Vobfus is detected, we often find Win32/Beebone too; thus exists the cyclical relationship between Vobfus and Beebone, the two threat families that are intrinsically related," writes Choi in the Microsoft blog.
"This cyclical relationship between Beebone and Vobfus downloading each other is the reason why Vobfus may seem so resilient to antivirus products. Vobfus and Beebone can constantly update each other with new variants. Updated antivirus products may detect one variant present on the system; however, newer downloaded variants may not be detected immediately."
Choi goes on to mention that most other self-updating pieces of malware can be easily removed from a system once they are found. And once removed, they generally cannot continue to auto-update.
"In the case with Vobfus, even if it is detected and remediated, it could have downloaded an undetected Beebone which can in turn download an undetected variant of Vobfus," Choi explained.
This constant auto-updating feature of these two pieces of malware made it difficult for the Microsoft team to find and eradicate. Not only were both viruses keeping one another up to date, they also install an autorun file which instantly implants them into any disk or drive that they come in contact with.
To avoid getting infected with this virus, Choi recommends being careful when clicking links on the Internet. He also recommends keeping web browsers and other software up to date. Finally, Choi recommends turning off the autorun functionality which allows the viruses to install themselves automatically to a machine.