14 DAY TRIAL // Malware of the Vobfus family is highly interesting. It has been around since 2009, it spreads via removable drives, and it’s mainly designed to download other pieces of malware onto infected computers.
However, experts from Microsoft’s Malware Protection Center have found something that makes Vobfus even more interesting.
Besides spreading via removable drives, the threat can also land on a computer by being downloaded by another malware, such as Beebone, a Trojan developed in Visual Basic.
Once it infects a device, Beebone downloads several other threats, including ZeuS, Sirefef, Fareit and Cutwail. But in most cases, it also downloads Vobfus.
On the other hand, Vobfus also downloads Beebone, so there is what experts call a “cyclical relationship” between the two.
“This cyclical relationship between Beebone and Vobfus downloading each other is the reason why Vobfus may seem so resilient to antivirus products. Vobfus and Beebone can constantly update each other with new variants,” Microsoft’s Hyun Choi explained in a blog post.
“Updated antivirus products may detect one variant present on the system; however, newer downloaded variants may not be detected immediately. A typical self-updating malware family that just updates itself can be remediated once it is detected, because once removed from the system it cannot download newer versions of itself,” the expert added.
This way, even if one of the malicious elements is detected and removed, a newer undetected version of the other piece of malware could have already been downloaded onto the machine.
Vobfus is even more dangerous in network environments where data is often shared via removable drives. Researchers say that the removable drive infection rates observed in the wild are high.
It’s also worth highlighting that Beebone installs several other threats onto the infected machines, which makes the relationship between Beebone and Vobfus even more dangerous.