It’s often difficult to say what came first. This is certainly the case when it comes to recent interactions between the Vobfus worm and Beebone Trojan families. Microsoft’s Malware Protection Center observed an infection cycle in the wild where Vobfus variants download Beebone variants that in turn download more Vobfus malware that then went and downloaded other strains of Beebone that did same thing, presumably until someone stepped in and stopped prevented it from doing so.

Both families are known to download other strains of malware from their command and control servers upon initiation. These are not the first known instances of malware that downloads other malware, but the Vobfus-Beebone infections are unique in that they appear to create a self-perpetuating and never-ending loop of malware infections that are reportedly  difficult to remove.

Vobfus propagates as an autorun.inf worm on removable devices and mapped network drives, but is occasionally spread via social engineering as well. It copies itself to the %userprofile% folder under alluring names such as passwords.exe, porn.exe, secret.exe, sexy.exe, subst.exe, and video.exe before creating a runkey so that it runs whenever Windows starts.

In the instances recently observed by the MMPC, Vobfus would download Beebone strains immediately after connecting to its command and control server. Beebone would then initiate and download Vobfus in addition to other threats, which in turn would do the same.

“This cyclical relationship between Beebone and Vobfus downloading each other is the reason why Vobfus may seem so resilient to antivirus products,” Microsoft’s Hyun Choi wrote for Technet. “Vobfus and Beebone can constantly update each other with new variants. Updated antivirus products may detect one variant present on the system; however, newer downloaded variants may not be detected immediately.“

Almost all malware is designed to update itself. However, if you remove the malware, then it cannot update itself. This situation is different, because even if you detect and remove Vobfus, you might not catch the most recent version of Beebone (or any of the other malware it summons from its C&C), which will subsequently re-download the newest, yet-undetectable version of Vobfus.

Vobfus-Beebus-Infection-cycle-Small

 

Categories: Malware, Microsoft

Comments (2)

  1. Nick
    1

    Had it. Microsoft Security Essentials found it and removed it initially. It just waltzed past Vipre. They have since created definitions for our variant though.

Comments are closed.