File viruses, the outbreak goes on
As previously highlighted, traditional viruses, the ones that nowadays are generally defined as “file viruses” and target executable programs parasitizing and exploiting them as a medium for their propagation, even though reduced to a marginal component of the crowded zoo of beasties making up modern malware aren’t vanished at all. A confirmation of this is the fact that, after the Sality case, new parasitic viruses families have in the past days caught the attention of experts and security firms.
Like Sality, Virut as well is a polymorphic file virus that greatly evolved during time and, after some months of quiet, it’s back with an even more sophisticated infection engine intended to camouflage the malware presence to the vigilant antivirus eye. The new W32/Virut variants were discovered (among the others) by Avira, that in these weeks updated AntiVir that now should be able to identify all the several iterations of the malware.
Virut is a particularly complex virus, and other than making use of a remarkable amount of encryption techniques, obfuscation of the entry point within the executable code of infected files and anti-emulation/anti-debugger mechanisms to make analysis more difficult, the malware infects not only all the executable files it can found on the hard disk but also the HTML files of web pages to view in the browser, injecting in them malicious iframes through which download additional malware from the net.
Virut has been targeted by Symantec too, which especially analyzed the behaviour of the variant detected by Norton AntiVirus as W32.Virut.CF. According to Symantec “this threat has already compromised corporate networks and is proving difficult to remove from infected networks“. The difficulty in dealing with the problem resides first of all in the virus code complexity, that uses two different encryption layers to try to inhibit the “white box” analysis efforts by using unnecessary (”junk”) or illegal instructions, CPU speed check and system APIs memory addresses manipulation to detect a possible ongoing scan.
But above all Virut.CF is difficult to remove because, other than the standard executable file formats for Windows systems, the virus also tries to parasitize the ones for which it hasn’t been programmed, hence the wide diversity of the aforementioned formats turns into a boomerang that makes the malware disinfection a challenge with luck already lost before the start. And if this wouldn’t be enough, Virut.CF is a parasite that doesn’t bother infecting other malware (maybe worms or trojans), adding a further complexity layer to the threat and another possible way of propagation for Virut family.
The other file virus interesting case recently appeared is Virux, a malware that shares some of the Virut features together with the ability to infect web pages files. By itself the virus adds the fact that once infected a system it opens a communication session with an IRC server, waiting for orders from the authors, and a complex infection scheme of executable files that includes several techniques and changes from variant to variant.
Trend Micro states that the USA are the infection most affected country, and even though for some aspects Virut and Virux seem almost two twins (multiple encryption layers, html, php and asp scripts infection, multiple techniques to parasitize the executable code in the middle, at the end and within the entry point of the file), “TrendLabs (Trend Micro’s blog) engineers are quick to point out that VIRUX is indeed a notch higher than VIRUT in terms of complexity (which is the cybercriminals’ bid for malware persistence and increasing likelihood of reinfection)“.
- Avira: security or marketing?
- Sality, the virus that turned into the ultimate malware
- New tricks for file viruses
- Klaatu, barada, nikto, Conficker!
- Conficker, it’s open war between the industry and malware writers
- Sality virus, the species evolution
- Conficker, the perfect storm worm
- Free 6 months license for Avira AntiVir Premium
- 22,000 new malware samples per day, a network worm breakout and the sandbox-enabled antivirus
- New Gpcode version detected. Ransomware strikes again