Computer Viruses Evolve
New malware morphs into different shapes unattended by humans
Now this is quite a fascinating story, it seems the latest development is the accidental development of new super-malware strains created by viruses infecting executable files of worms. Worms are generally executable files and well, viruses infect executables – so you can imagine what happens.
Ten years ago, there was a clear-cut distinction between Trojans, viruses and worms. They all had their own features specific to one family of malware only. As more people connected to the internet, cyber-criminals started mixing ingredients to maximize impact. And here I’m thinking Trojans with worm capabilities or viruses with Trojan features, and so on.
Now, another “practice” has silently emerged: the file infector that accidentally parasites another e-threat. A virus infects executable files; and a worm is an executable file. If the virus reaches a PC already compromised by a worm, the virus will infect the exe files on that PC – including the worm. When the worm spreads, it will carry the virus with it. Although this happens unintentionally, the combined features from both pieces of malware will inflict a lot more damage than the creators of either piece of malware intended.
While most file infectors have inbuilt spreading mechanisms, just like Trojans and worms (spreading routines for RDP, USB, P2P, chat applications, or social networks), some cannot replicate or spread between computers. And it seems a great idea to “outsource” the transportation mechanism to a different piece of malware (i.e. by piggybacking a worm).
Most likely these Frankenmalware, or “malware sandwiches,” take place spontaneously. The virus actually infects by mistake another piece of malware and ends up using its capabilities to spread. Bitdefender’s Antimalware Lab identified no less than 40,000 such malware symbioses out of a sample pool of 10 million files. One such case is the Virtob file infector, whose malicious code has been found infecting worms like OnlineGames, the ancient Mydoom or the more advanced Bifrose backdoor Trojan.
Now the franken-worm has both the characteristics of the original worm and it also carries the virus – so when it spreads, the virus also spreads.
Viruses are accidentally infecting worms on victims’ computers, creating super-powered strains of hybrid software nasties.
The monster malware spreads quicker than before, screws up systems worse than ever, and exposes private data in a way not even envisioned by the original virus writers.
A study by antivirus outfit BitDefender found 40,000 such “Frankenmalware samples” in a study of 10 million infected files in early January, or 0.4 per cent of malware strains sampled. These cybercrime chimeras pose a greater risk to infected users than standard malware, the Romanian antivirus firm warns.
“If you get one of these hybrids on your system, you could be facing financial troubles, computer problems, identity theft, and a wave of spam thrown in as a random bonus,” said Loredana Botezatu, the BitDefender analyst who carried out the study. “The advent of malware sandwiches throws a new twist into the world of malware. They spread more efficiently, and will become increasingly difficult to predict.”
BitDefender doesn’t have historical data to go on. Even so it posits that frankenmalware is likely to grow at the same rate as regular computer viruses, or about 17 per cent year on year.
There’s really unlimited possibilities with this, and the great thing (to me anyway) is that it occurred by complete accident. I guess the next step up would be virus authors purposely hunting down worm files and infecting them with additional capabilities.
There’s always been cases of malware in the past that hunt down other malware and remove them from the host machine.
All of the malware hybrids analysed by BitDefender so far have been created accidentally. However, the risk posed by these combos could increase dramatically as crooks latch onto the idea of deliberately splicing malware strains together to see what sticks. This is on top of efforts by blackhat coders to add extra features to others’ viruses and unleash the updated builds onto the unsuspecting public.
BitDefender carried out its study after finding a sample of the Rimecud worm that was infected by the Virtob file infector. Rimecud is designed to steal online passwords for e-banking or e-mail accounts, among other functions. Virtob creates a hacker-controlled backdoor on infected systems.
“Imagine these two pieces of malware working together – willingly or not – on the same compromised system,” Botezatu explains. “That PC faces a twofold malware with twice as many command and control servers to query for instructions; moreover, there are two backdoors open, two attack techniques active and various spreading methods put in place. Where one fails, the other succeeds.”
I wonder what will happen in the future with this and if the bad guys will really jump on this already sailing ship and use it to their advantage. The last computer I recently touched had over 30+ viruses and a boot-loader, took me 4-5 hours to make sure the system was clean, then I had to re-install Windows XP, jump through all the hoops, upgrades and drivers for the system. This is why I tell people about Linux Mint all the time.
