July 13, 2013

Tag Team Virus Duo Discovered

Security researchers from Microsoft have discovered an interesting and unique virus combo – two unique malware programs that work together in an effort to bypass antivirus software by automatically downloading the other virus should it be removed from the host computer.

These kinds of malicious programs are nothing new in themselves, but what’s unique about Vobfus and Beebone is that upon installation they both immediately download updates of the other, as a method of evading deletion by antivirus software. The idea being, that if one is detected, its partner in crime will quickly download an updated version of the deleted virus onto the machine again, creating a ‘vicious cycle’ that makes it very difficult for the user to clean his or her computer.

Vobfus and Beebone work by regularly downloading updates of each other. Vobfus, a worm virus discovered in 2009, infects the machine first.  Usually Vobfus infects the machine through a malicious link on a website or in rare cases within a flash drive. Once installed, Vobfus will download its buddy Beebone. Beebone is a downloader/trojan, and serves to install various other nasty viruses and malwares onto computers.  From there, Beebone will typically infect the machine and call out to a command-and-control server (CNC server).

Once the tag team duo are present on a computer, attackers can look for sensitive information stored on the machine, but most likely will just use the machine in a botnet.  Once the machine is connected to the botnet the attacker can use the machine to perform illegal activities or at the very least spread spam via remote commands from the CNC server.

“The pair is more powerful together. Since they download one another constantly, it makes them particularly hard to get rid of. And Microsoft says, even if Vobfus has been detected and removed, there very well may be a version of Beebone flying under the radar,” said Leslie Horn of Gizmodo.

So how do you avoid this one-two hit combo? We always recommend you disable autorun on Windows computers. The other defense we find ourselves repeating is don’t click on suspicious links.

For more information about this virus duo, Microsoft Technet