First Nine Months of 2011 Give Birth to Surprising Innovation in Malware

Some members of this new generation of malware are “natural evolutions,” such as the TDSS botnet. Others are brand new innovations that aim to subvert or even completely defeat security software or other safety mechanisms of the operating system. Fasten your seat belts, raise the firewall and get ready: you’re going to meet the most interesting species of “Equus Chameleus” we’ve seen so far this year.

Win32.Induc.P

Compiler viruses are some of the rarest forms of malware we have seen in past years, after macro worms have gone nearly extinct. In July 2009, Bitdefender discovered a piece of malware that would infect the popular Delphi application development suite versions 4 through 7, turning this software compiler into a fully-fledged virus farm. Whenever that developer compiles an executable file, the viral code is added to the resulting file, spreading the infection even further.

In early September, Bitdefender identified a new variant of the virus, with higher destructive potential and able to infect a wider range of products in the Delphi family (including the latest RAD Studio 2005, RAD Studio 2007, RAD Studio 2009 and RAD Studio XE). This virus is unique in that it infects the compiler, thus infecting the files created with it out of the box. This is how reputed application vendors are involuntarily and unwillingly distributing malware through software products they develop. Even worse is that some of these products are digitally-signed, and some antivirus products skip digitally signed files from scans.

Trojan.Mebromi.A

With minor exceptions, the BIOS area of a computer was off-limits for years – more to the point, since the CIH era. Note the use of the past tense. 2011 also brought one of the first BIOS infectors ever. Dubbed Trojan.Mebromi.A, the e-threat adds a BIOS module called HOOK.ROM, which monitors whether the viral code is present in the Master Boot Record or has been erased by security software. If the latter, it adds it back. This code in the MBR area looks for some Windows files to see if they are also infected.

BIOS malware is extremely difficult to detect and annihilate, as it subverts the MBR and operating system before the latter even gets to boot. On the bright side, BIOS malware is difficult to write and implement, mostly because of the diversity of BIOS manufacturers, who implement this technology by different standards. Apparently, Trojan.Mebromi.A only infects Award BIOS versions produced by Phoenix Technologies.

Rootkit.MBR.TDSS  (a.k.a. TDL4)

Rootkit-based malware isn’t the most common virtual offender, but it’s by far the most dangerous. Rootkit.MBR.TDSS is one of the most dangerous pieces of malware ever developed: it has the ability to infect 32- and 64-bit operating systems. The rootkit infects the Master Boot Record (MBR), which allows it to load its code before Windows starts up. It is a “stunt” that allows TDL4 to intercept critical system functions.

Most important is that, once infected, the computer is added to a peer-to-peer botnet that is much more difficult to shut down, since the termination of the currently used C & C servers will not result in bots flailing aimlessly; they will try to update their C & C locations using the peer-to-peer protocol. This failsafe mechanism proves that cyber-crooks have learned their lesson from the takedown of Rustock (one of the largest and most prolific botnets to date) and won’t let this happen again.

Rootkit.Sirefef  (a.k.a. ZeroAccess)

Every so often, malware uses the promise of a crack (a piece of software used to circumvent licensing checks of commercial applications) to infect the machine it runs on. This is also the case of Rootkit.Sirefef, a highly advanced piece of malware dropped from a Microsoft Office 2010 crack. This rootkit runs in kernel mode, which means it has the highest system privileges. It creates a file on the disk that is attached to a virtual device and will be used as a tripwire for antivirus scanners. Whenever this file is scanned, the rootkit component kills the antivirus and eliminates its NTFS permissions.

The tripwire is actually one of the biggest stunts pulled by a piece of malware ever. Make no mistake about it – it is has been known for some time but hasn’t been used this way until now. As this piece of malware is especially designed to terminate antivirus solutions, detection and removal is extremely difficult. Bitdefender has released a special removal tool to detect and eliminate the threat.

Trojan.Antiminer.A

We all know malware strictly targets the financial part of your e-life, but how about Trojans that literally make money on your computer? This is the case of a highly prolific family of Bitcoin harvesters that particularly infect gamers to hijack the resources of their video cards towards Bitcoin mining.

If you are unfamiliar with the term, you should know that Bitcoin is a decentralized e-coin widely accepted for payments on the Internet. The Bitcoin is a cryptographic keypair created by solving instances of a difficult cryptographic proof-of-work problem by trial and error. In other words, your computer has to solve an extremely complex problem before being awarded a Bitcoin. Once it infects your computer, Trojan.Antiminer.A installs a legit application (a Bitcoin miner) that fetches blocks from a pool (a website that offers participants data to “crunch”) and processes it using your GPU or CPU power. All these computers bring the cyber-criminal a number of Bitcoins in his/her digital wallet, which can be exchanged into dollars or Euros.