14 DAY TRIAL // Security researchers from Sophos are warning that the Virtumondo computer trojan, which serves as a malware-distribution service, is now infecting computers via the Autorun feature. It makes its way onto USB sticks and other removable media devices with the help of a separate autorun worm.
Virtumondo, also known as Virtumonde or Vundo, is a particularly interesting piece of malware, combining adware, dropper, and trojan characteristics. Its playload involves attaching itself to browsers and injecting fake entries into search results. Additionally, it prompts advertising pop-ups, most of the time promoting rogue security software (scareware).
According to Billy McCourt, senior virus researcher at SophosLabs UK, the trojan is very well maintained by its creators. "We’ve been tracking Virtumundo on our honeypots and over the last few weeks and there has been a constant stream of regular updates," the analyst notes.
The update mechanism employs a technique known as "server side polymorphism" to constantly change the packaging of the malicious DLL file. This has the purpose of subverting pattern-based detection. "Virtumundo will download updates at a rate of several per day, but the actual file may only change once or twice every 24 hours," Mr. McCourt explains.
The fact that the trojan is also being used to drop other malicious applications on the infected system, such as rootkits, polymorphic viruses, spamming tools, fake Anti-Virus and downloaders, suggests that it is probably being lent by its creators to other cybercriminal groups as some sort of malware-distribution service. This would also explain the significant efforts made to ensure its survival.
Another malware analyst from Sophos, Julie Yeates, warns that Virtumondo has gained worming capabilities, allowing it to jump from computer to computer via removable storage devices and network shares. "I came across an autorun worm with an added extra wriggle in the form of a Virtumundo file," Ms. Yeates announces.
This could point to the fact that the trojan proves to be a profitable business and its owners want to expand their "market share." The success of using Autorun as an attack vector has already been demonstrated by widespread worms such as the infamous Conficker. "Yes folks, Virtumundo has learnt the tricks of autorun," the Sophos researcher concludes.