Malware: Vobfus and Beebone infections are double-trouble

Jul 02, 2013 by Nancy Owano report
Credit: Microsoft

( —Vobfus and Beebone sound like two lovable crayon-colored goldfish still on the Pixar drawing boards: Wouldn't that be nice. Microsoft's security team would much prefer they be animated box-office hits but they are a pair of malicious software programs that work in concert with one another. A recent blog posting at Microsoft made it known that they are quite a headache. Hyun Choi of the Microsoft Malware Protection Center said that the two programs are regularly found together. They operate collaboratively. They are "downloaders" and they work by alternatively downloading different variations of one another. The problem, aside from their computer invasion, is that they are hard to clean and can elude antivirus software.

The first malware player, Vobfus, is named after its characteristics. Think "Visual Basic." Think "obfuscated." Vobfus, detected in September 2009, is known as a downloader and it is compiled in p-code (pseudo code) or native code. A computer user might, for example, pick up Vobfus by way of a booby-trapped link. Once Vobfus gets into the system, it downloads the Beebone program, another downloader, ready for action to install other . Beebone has been downloading Trojans such as Zbot, Sirefef, Fareit, Nedsym and Cutwall.

In his blog posting, Choi talked about how this works. "Vobfus copies itself to the %userprofile% folder with a random name, or a not-so-random name…It also creates a runkey to ensure it runs every time Windows starts. Finally, Vobfus contacts a C&C server to obtain encrypted instructions on where to download Beebone; Beebone subsequently downloads Vobfus, and a number of other threats."

Choi also commented on the downsides of the pair's cyclical nature:

"Where Vobfus is detected, we often findWin32/Beebone too; thus exists the cyclical relationship between Vobfus and Beebone, the two threat families that are intrinsically related. This cyclical relationship between Beebone and Vobfus downloading each other is the reason why Vobfus may seem so resilient to antivirus products. Vobfus and Beebone can constantly update each other with new variants."

Among his guidelines for helping to prevent Vobfus and Beebone infections, he noted that "one infection vector is drive-by download, so use caution when clicking external links, and keep your browser and all other installed software up to date to help prevent exploits." Also, as Vobfus is primarily downloaded by Beebone or spread via removable drives, "a possible method of prevention is disabling autorun functionality."

The Microsoft Malware Protection Center gathers and analyzes data, working with organizations inside and outside Microsoft, and staying "agile to combat evolving threats." The Center seeks to respond to malware outbreaks and advise customers.

Explore further: A look at how your voice is being used to ID you

More information:… ions-from-above.aspx

Related Stories

Hacker 'botnet' hijacked online searches

Feb 07, 2013

Software titan Microsoft and computer security giant Symantec said Thursday that they smashed a hacker-infected computer network that was hijacking Internet searches.

Recommended for you

First-of-a-kind supercritical CO2 turbine

29 minutes ago

Toshiba Corporation today announced that it will supply a first-of-a-kind supercritical CO2 turbine to a demonstration plant being built in Texas, USA. The plant will be developed by NET Power, LLC, a U.S. venture, together w ...

Japan firm showcases Bat-Signal of the future

1 hour ago

A free-floating image created by firing lasers into thin air was unveiled in Japan on Monday, offering the possibility one day of projecting messages into a cloudless sky, as seen in Batman.

Kickstarter suspends privacy router campaign

2 hours ago

Kickstarter has suspended an anonymizing router from its crowdfunding site. By Sunday, the page for "anonabox: A Tor hardware router" carried an extra word "(Suspended)" in parentheses with a banner below ...

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

1 / 5 (6) Jul 02, 2013
Hyun Choi of the Microsoft Malware Protection Center

Isn't this the another name for the Windows development team?
not rated yet Jul 02, 2013
I wonder how much this problem would be helped if MS instructed new users to create standard accounts for browsing and e-mail, and only use the administrator account for updates/installing software. New Windows installs come with one Admin account, which many users just use for everything.