Malware: Vobfus and Beebone infections are double-trouble

Jul 02, 2013 by Nancy Owano report
Credit: Microsoft

(Phys.org) —Vobfus and Beebone sound like two lovable crayon-colored goldfish still on the Pixar drawing boards: Wouldn't that be nice. Microsoft's security team would much prefer they be animated box-office hits but they are a pair of malicious software programs that work in concert with one another. A recent blog posting at Microsoft made it known that they are quite a headache. Hyun Choi of the Microsoft Malware Protection Center said that the two programs are regularly found together. They operate collaboratively. They are "downloaders" and they work by alternatively downloading different variations of one another. The problem, aside from their computer invasion, is that they are hard to clean and can elude antivirus software.

The first malware player, Vobfus, is named after its characteristics. Think "Visual Basic." Think "obfuscated." Vobfus, detected in September 2009, is known as a downloader and it is compiled in p-code (pseudo code) or native code. A computer user might, for example, pick up Vobfus by way of a booby-trapped link. Once Vobfus gets into the system, it downloads the Beebone program, another downloader, ready for action to install other . Beebone has been downloading Trojans such as Zbot, Sirefef, Fareit, Nedsym and Cutwall.

In his blog posting, Choi talked about how this works. "Vobfus copies itself to the %userprofile% folder with a random name, or a not-so-random name…It also creates a runkey to ensure it runs every time Windows starts. Finally, Vobfus contacts a C&C server to obtain encrypted instructions on where to download Beebone; Beebone subsequently downloads Vobfus, and a number of other threats."

Choi also commented on the downsides of the pair's cyclical nature:

"Where Vobfus is detected, we often findWin32/Beebone too; thus exists the cyclical relationship between Vobfus and Beebone, the two threat families that are intrinsically related. This cyclical relationship between Beebone and Vobfus downloading each other is the reason why Vobfus may seem so resilient to antivirus products. Vobfus and Beebone can constantly update each other with new variants."

Among his guidelines for helping to prevent Vobfus and Beebone infections, he noted that "one infection vector is drive-by download, so use caution when clicking external links, and keep your browser and all other installed software up to date to help prevent exploits." Also, as Vobfus is primarily downloaded by Beebone or spread via removable drives, "a possible method of prevention is disabling autorun functionality."

The Microsoft Malware Protection Center gathers and analyzes data, working with organizations inside and outside Microsoft, and staying "agile to combat evolving threats." The Center seeks to respond to malware outbreaks and advise customers.

Explore further: To prevent data theft, businesses race to adopt new technology

More information: blogs.technet.com/b/mmpc/archive/2013/06/30/viewing-vobfus-infections-from-above.aspx

Related Stories

Hacker 'botnet' hijacked online searches

Feb 07, 2013

Software titan Microsoft and computer security giant Symantec said Thursday that they smashed a hacker-infected computer network that was hijacking Internet searches.

Recommended for you

Hackers of Oman news agency target Bouteflika

9 hours ago

Hackers on Sunday targeted the website of Oman's official news agency, singling out and mocking Algeria's newly re-elected president Abdelaziz Bouteflika as a handicapped "dictator".

Health care site flagged in Heartbleed review

Apr 19, 2014

People with accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the ...

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

BSD
1 / 5 (6) Jul 02, 2013
Hyun Choi of the Microsoft Malware Protection Center


Isn't this the another name for the Windows development team?
cyberCMDR
not rated yet Jul 02, 2013
I wonder how much this problem would be helped if MS instructed new users to create standard accounts for browsing and e-mail, and only use the administrator account for updates/installing software. New Windows installs come with one Admin account, which many users just use for everything.

More news stories

Making graphene in your kitchen

Graphene has been touted as a wonder material—the world's thinnest substance, but super-strong. Now scientists say it is so easy to make you could produce some in your kitchen.