Warning out vs 'Frankenstein' malware

As if the present batch of malware were not bad enough, computer users may have to watch out against a new breed of malware: those of the Frankenstein variety.

 

Bitdefender’s MalwareCity.com said it has so far identified 40,000 such malware symbioses out of a sample pool of 10 million files.

 

“Now, another ‘practice’ has silently emerged: the file infector that accidentally parasites another e-threat ... If the virus reaches a PC already compromised by a worm, the virus will infect the exe files on that PC - including the worm. When the worm spreads, it will carry the virus with it. Although this happens unintentionally, the combined features from both pieces of malware will inflict a lot more damage than the creators of either piece of malware intended,” it said.

 

It said these “Frankenmalware” or “malware sandwiches” take place spontaneously where the virus infects by mistake another malware and uses its capabilities to spread.

 

Virtob-rimecud

 

Bitdefender cited the case of the Win32.Worm.Rimecud and Win32.Virtob pair as a sample of worms infected by viruses.

 

Virtob has infected OnlineGames, the ancient Mydoom or the more advanced Bifrose backdoor Trojan.

 

On the other hand, Win32.Worm.Rimecud is a typical worm with a state-of-the-art spreading apparatus, using file-sharing applications (Ares P2P, BearShare, iMesh, Shareaza. Kazaa, DC++, eMule, LimeWire), USB devices, Microsoft MSN Messenger (sends all contacts links to sites that host malware) and network drives mapped locally.

 

“Once on the system, Rimecud injects its code into explorer.exe and steals passwords pertaining to e-banking, on-line shopping, social networking or e-mail accounts from Mozilla Firefox and Internet Explorer,” Bitdefender said.

 

Its backdoor component enables it to connect to the C&C servers and fetch commands such as flood, download and execute further malware on the compromised PC.

 

The worm also looks for a VNC server (remote control software) that would allow the attacker remote access and control of the compromised PC.

 

But when it accidentally attaches to Virtob – which infects executable files with .exe or .scr extensions by affixing a piece of malicious code to those files – the result infects critical files in the victim computer.

 

“Now, imagine these two pieces of malware working together - willingly or not - from and on the same compromised system. That PC faces a twofold malware with twice as many command and control servers to query for instructions; moreover, there are two backdoors open, two attack techniques active and various spreading methods put in place. Where one fails, the other succeeds,” Bitdefender said.

 

Worse, if the computer has more than one worm that applies to the virus specifications, the virus could infect more than one worm on the system.

 

If one of the two - whether the virus or the worm - is caught by antivirus software, there is a chance the other might pass undetected.

 

“Perhaps if we think of an infected file (possibly the virus) that needs to be analyzed separately and a piece of code is taken out and looked at, maybe then someone discovers also the worm. If the worm is detected based on a signature, the worm is simply wiped out from the compromised system, without any further analysis. This would make it easier for the virus to pass unseen. There’s no rule,” Bitdefender said.

 

Scenarios

 

Bitdefender voiced concern about worst-case scenarios involving a worm like Downadup that prevents the system from updating the operating system – and a virus with rootkit capabilities that can open a backdoor.

 

“Downadup spreads around the world constantly, which makes it a great propagation tool; not to mention that it took AVs more than half a year, and almost a million infections, to discover it. If this had carried along a virus, all those users would have suffered greater damage. And disinfection would be more complicated,” it said.

 

Another scenario involves cleaning a worm infected by a virus, which the antivirus cleans and leaves slightly altered – which may “lead to a mutation that can actually help the worm.” — TJD, GMA News