UPDATED 09:55 EST / JULY 02 2013

NEWS

Double Trouble: Malware ‘Tag Team’ Creates Unending Malicious Infection Loop

Security experts from Microsoft have stumbled across an interesting phenomenon – two unique malware programs that ‘collaborate’ with each other in an effort to outfox antivirus software by automatically downloading the other virus should it be removed from the host computer.

The existence of the deadly duo was revealed by Microsoft’s Hyun Choi in a blog post earlier this week. Writing on Technet, he explained how the two malicious programs belong to a family of ‘worms’ known as Win32/Vobfus. One of the two malwares, which was first identified in 2009, goes by the name of “Vobfus”, and plays the role of a ‘downloader’, essentially a program whose sole reason for being is to download other pieces of malicious code.

As soon as Vobfus manages to infect a computer, it automatically downloads a second virus called “Beebone” from a remote command-and-control server. Beebone is also a downloader, and serves to install various other nasty viruses and malwares onto computers. These kinds of malicious programs are nothing new in themselves, but what’s unique about them is that upon installation they both immediately download updates of the other, as a method of evading deletion by antivirus software. The idea being, that if one is detected, its partner in crime will quickly download an updated version of the deleted virus onto the machine again, creating a ‘vicious cycle’ that makes it very difficult for the user to clean his or her computer.

Choi writes:

“This cyclical relationship between Beebone and Vobfus downloading each other is the reason why Vobfus may seem so resilient to antivirus products. Vobfus and Beebone can constantly update each other with new variants. Updated antivirus products may detect one variant present on the system; however, newer downloaded variants may not be detected immediately. A typical self-updating malware family that just updates itself can be remediated once it is detected, because once removed from the system it cannot download newer versions of itself. In the case with Vobfus, even if it is detected and remediated, it could have downloaded an undetected Beebone which can in turn download an undetected variant of Vobfus.

The following diagram illustrates how the two malwares work in concert with each other:

This development is worrying, because while most malware will update itself regularly in a bid to stay ahead of antivirus programs, more often than not it gets caught before it can do so – and once deleted, there’s no way to update itself on the machine again. But with Vobfus and Beebone acting as a team, it makes it twice as hard for antivirus providers as they need to familiar with the up-to-date versions of both viruses in order to remove them effectively.


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU