Malware known as Win32/Vobfus works in a symbiotic relationship with other malware, Microsoft security has uncovered.
Microsoft researcher Hyun Choi has noted a form or resurgence lately. Vobfus was initially discovered in September 2009 and became prevalent with its use of the MS10-046 .LNK vulnerability, he said, although it’s moved on to using more current vulnerabilities now.
Vobfus is a family of worms that spreads via removable drives and network mapped drives. “The name Vobfus comes from the characteristics that these worms are Visual Basic and obfuscated,” he said. “Vobfus is a Visual Basic malware compiled either in p-code (pseudo code) or native code. The obfuscation of the malicious payload of Vobfus started with simple string manipulation, and it has evolved to a more complex string decoding.”
It has a close relationship with Beebone, a family of Visual Basic-compiled trojan downloaders that is known to download threats from a range of families, including Vobfus, Zbot, Sirefef, Fareit, Nedsym and Cutwail. In turn, once executed, Vobfus contacts a command-and-control server to obtain encrypted instructions on where to download Beebone to other networked machines.
“Based on our observations, Beebone variants then download other variants of Vobfus, creating an infection cycle that means where you see one of these families, you'll often see the other,” Choi said.
Read more: http://www.infosecurity-magazine.com/view/33215/symbiotic-malware-work-together-to-avoid-antivirus-detection/
