Ten years ago, there was a clear-cut distinction between Trojans, viruses and worms. They all had their own features specific to one family of malware only. As more people connected to the internet, cyber-criminals started mixing ingredients to maximize impact. And here I’m thinking Trojans with worm capabilities or viruses with Trojan features, and so on.
Now, another “practice” has silently emerged: the file infector that accidentally parasites another e-threat. A virus infects executable files; and a worm is an executable file. If the virus reaches a PC already compromised by a worm, the virus will infect the exe files on that PC – including the worm. When the worm spreads, it will carry the virus with it. Although this happens unintentionally, the combined features from both pieces of malware will inflict a lot more damage than the creators of either piece of malware intended.
While most file infectors have inbuilt spreading mechanisms, just like Trojans and worms (spreading routines for RDP, USB, P2P, chat applications, or social networks), some cannot replicate or spread between computers. And it seems a great idea to “outsource” the transportation mechanism to a different piece of malware (i.e. by piggybacking a worm).
Most likely these Frankenmalware, or “malware sandwiches,” take place spontaneously. The virus actually infects by mistake another piece of malware and ends up using its capabilities to spread. Bitdefender’s Antimalware Lab identified no less than 40,000 such malware symbioses out of a sample pool of 10 million files. One such case is the Virtob file infector, whose malicious code has been found infecting worms like OnlineGames, the ancient Mydoom or the more advanced Bifrose backdoor Trojan.
From the numerous samples of worms infected by viruses, we picked out the Win32.Worm.Rimecud -Win32.Virtob pair.
A few words about Win32.Worm.Rimecud
Win32.Worm.Rimecud is your typical worm with a state-of-the-art spreading apparatus. For propagation it uses file-sharing applications (Ares P2P, BearShare, iMesh, Shareaza. Kazaa, DC++, eMule, LimeWire), USB devices, Microsoft MSN Messenger (sends all contacts links to sites that host malware) and network drives mapped locally. Once on the system, Rimecud injects its code into explorer.exe and steals passwords pertaining to e-banking, on-line shopping, social networking or e-mail accounts from Mozilla Firefox and Internet Explorer. In the meantime its backdoor component enables it to connect to the C&C servers and fetch commands such as flood, download and execute further malware on the compromised PC. On top of that, the worm looks for a VNC server (remote control software) that would allow the attacker remote access and control of the compromised PC.
And certain details about Win32.Virtob
Bitdefender labs have recently seen attached a file infector to the above mentioned worm – Win32.Virtob. This virus is known to infect executable files with .exe or .scr extensions by affixing a piece of malicious code to those files. The worm is an executable file, so chances are it also gets infected by the virus if it’s on the same computer. Virtob then instructs the compromised executable files to firstly run the viral code (by changing the entry point) and only afterwards gives control back to the original file. Certainly this also applies to the worm – its code will be executed only after the virus code has been launched. When its code is successfully loaded into the memory, Virtob connects to two IRC servers that are in fact C&C servers, and with the help of its backdoor component, the virus is ready to receive commands from a remote attacker via the Internet.
By injecting its code into winlogon.exe and then adding this process to the firewall exception list, the virus makes sure it is granted complete Internet access and ensures its persistence – “ Winlogon is a critical process that, if terminated, will crash the computer. Afterwards, it infects HTML, HTM, PHP, ASP files by injecting IFrames that might silently load content from malware-laden pages.
Now, imagine these two pieces of malware working together – willingly or not – from and on the same compromised system. That PC faces a twofold malware with twice as many command and control servers to query for instructions; moreover, there are two backdoors open, two attack techniques active and various spreading methods put in place. Where one fails, the other succeeds.
Multiple Frankenware infections possible:
If, by utter bad luck, the computer has more than one worm that applies to the virus specifications, the virus could infect more than one worm on the system. However, the virus might as well only infect the executable files in certain system locations, or of a certain length. Other viruses look for certain strings that pertain to other pieces of malware which will remain uninfected if found on the compromised system. So, one worm can be infected while others on the same system are not.
If one of the two (whether the virus or the worm) is caught by the AV, the other might pass undetected. Perhaps if we think of an infected file (possibly the virus) that needs to be analyzed separately and a piece of code is taken out and looked at, maybe then someone discovers also the worm. If the worm is detected based on a signature, the worm is simply wiped out from the compromised system, without any further analysis. This would make it easier for the virus to pass unseen. There’s no rule.
And two hypothetical scenarios:
Hypothetical scenario No. 1:
Imagine a worm like Downadup, that has been spreading constantly around the world for three years now (70,000 infected systems in the last six months alone), being infected with a virus. On the one hand, Downadup prevents the system from updating the OS and the AV solution locally installed; and on the other hand the virus may have rootkit capabilities and open a backdoor. Downadup spreads around the world constantly, which makes it a great propagation tool; not to mention that it took AVs more than half a year, and almost a million infections, to discover it. If this had carried along a virus, all those users would have suffered greater damage. And disinfection would be more complicated.
Hypothetical scenario No. 2:
Imagine that a worm is infected by a file infector (virus). And an AV detects the file infector first and tries to disinfect the files, which include the worm. In some rare cases disinfecting compromised files leaves behind clean files that are at the same time altered (not identical to the original anymore). They maintain their functionality but are slightly different in form. As most files are detected according to signatures and not based on their behavior (heuristically), an altered worm (disinfected along with other files that have been compromised by a file infector and disinfected by an antivirus) may not be caught anymore by the signature applied to the original file (that had been modified after disinfection). Disinfection might this way lead to a mutation that can actually help the worm.
This article is based on the technical information provided courtesy of Doina Cosovan & Razvan Benchea, Bitdefender VirusAnalysts.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.