Malware: Vobfus and Beebone infections are double-trouble

Jul 02, 2013 by Nancy Owano report
Credit: Microsoft

( —Vobfus and Beebone sound like two lovable crayon-colored goldfish still on the Pixar drawing boards: Wouldn't that be nice. Microsoft's security team would much prefer they be animated box-office hits but they are a pair of malicious software programs that work in concert with one another. A recent blog posting at Microsoft made it known that they are quite a headache. Hyun Choi of the Microsoft Malware Protection Center said that the two programs are regularly found together. They operate collaboratively. They are "downloaders" and they work by alternatively downloading different variations of one another. The problem, aside from their computer invasion, is that they are hard to clean and can elude antivirus software.

The first malware player, Vobfus, is named after its characteristics. Think "Visual Basic." Think "obfuscated." Vobfus, detected in September 2009, is known as a downloader and it is compiled in p-code (pseudo code) or native code. A computer user might, for example, pick up Vobfus by way of a booby-trapped link. Once Vobfus gets into the system, it downloads the Beebone program, another downloader, ready for action to install other . Beebone has been downloading Trojans such as Zbot, Sirefef, Fareit, Nedsym and Cutwall.

In his blog posting, Choi talked about how this works. "Vobfus copies itself to the %userprofile% folder with a random name, or a not-so-random name…It also creates a runkey to ensure it runs every time Windows starts. Finally, Vobfus contacts a C&C server to obtain encrypted instructions on where to download Beebone; Beebone subsequently downloads Vobfus, and a number of other threats."

Choi also commented on the downsides of the pair's cyclical nature:

"Where Vobfus is detected, we often findWin32/Beebone too; thus exists the cyclical relationship between Vobfus and Beebone, the two threat families that are intrinsically related. This cyclical relationship between Beebone and Vobfus downloading each other is the reason why Vobfus may seem so resilient to antivirus products. Vobfus and Beebone can constantly update each other with new variants."

Among his guidelines for helping to prevent Vobfus and Beebone infections, he noted that "one infection vector is drive-by download, so use caution when clicking external links, and keep your browser and all other installed software up to date to help prevent exploits." Also, as Vobfus is primarily downloaded by Beebone or spread via removable drives, "a possible method of prevention is disabling autorun functionality."

The Microsoft Malware Protection Center gathers and analyzes data, working with organizations inside and outside Microsoft, and staying "agile to combat evolving threats." The Center seeks to respond to malware outbreaks and advise customers.

Explore further: Some British Airways frequent flier accounts miles breached

More information:… ions-from-above.aspx

add to favorites email to friend print save as pdf

Related Stories

Hacker 'botnet' hijacked online searches

Feb 07, 2013

Software titan Microsoft and computer security giant Symantec said Thursday that they smashed a hacker-infected computer network that was hijacking Internet searches.

Recommended for you

Does your password pass muster?

Mar 25, 2015

"Create a password" is a prompt familiar to anyone who's tried to buy a book from Amazon or register for a Google account. Equally familiar is that red / yellow / green bar that rates the new password's strength. ...

Beijing behind Internet security violation: group

Mar 25, 2015

China's cyberspace administration is "complicit" in attacks on major Internet companies including Google, an anti-censorship group said Wednesday, calling on firms worldwide to strengthen their defences.

House unveils cyber bill and signals bipartisan compromise

Mar 24, 2015

House intelligence committee leaders unveiled a bipartisan cybersecurity bill Tuesday amid signs of broad agreement on long-sought legislation that would allow private companies to share with the government details of how ...

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

1 / 5 (6) Jul 02, 2013
Hyun Choi of the Microsoft Malware Protection Center

Isn't this the another name for the Windows development team?
not rated yet Jul 02, 2013
I wonder how much this problem would be helped if MS instructed new users to create standard accounts for browsing and e-mail, and only use the administrator account for updates/installing software. New Windows installs come with one Admin account, which many users just use for everything.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.