If your antivirus solution detects the Vobfus worm and downloader on your computer, chances are good that the machine also houses the Beebone downloader, Microsoft researcher Hyun Choi warns.
Both downloaders are Visual Basic malware, and have entered into a symbiotic relationship to ensure that a newer and undetectable variant of one or the other malware always remains on the target computer and continues the circle of infection.
The initial infection often starts with Vobfus, whose worm-like nature allows it to spread via removable drives and network mapped drives.
“It copies itself to these drives with a random name, or not-so-random file name such as passwords.exe, porn.exe, secret.exe, sexy.exe, subst.exe, video.exe,” the researcher explains. It then does the same to the %userprofile% folder, and finally contacts a C&C server to obtain encrypted instructions on where to download Beebone.
Beebone – a downloader in its own right – then contacts its own C&C and downloads a slew of malware including Vobfus, Zbot, Sirefef, Cutwail, and others.
Then, once again, Vobfus does its drive infection trick and downloads a newer version (if there is one) of Beebone, and so on.
“This cyclical relationship between Beebone and Vobfus downloading each other is the reason why Vobfus may seem so resilient to antivirus products,” says Choi.
“A typical self-updating malware family that just updates itself can be remediated once it is detected, because once removed from the system it cannot download newer versions of itself. In the case with Vobfus, even if it is detected and remediated, it could have downloaded an undetected Beebone which can in turn download an undetected variant of Vobfus.”
According to Microsoft research, Vobfus maintains a very successful removable-drive infection rate in the wild.
Choi advises users to keep their AV solutions, OS, browsers and other software updated, and to be cautious when clicking on external links.