Malware Infected Malware Challenges Antivirus Detection

Malware authors do not always get along, in fact, there have been a number of instances where attackers target each other. But sometimes, malware infecting malware can be a good thing for attackers.

According to Trend Micro threat response engineer Roland Dela Paz, there has been an uptick in this kind of activity, which he calls “hybridised malware”. Recently, Trend observed an IRC bot detected as WORM_LAMIN.AC that was also infected by another file infector PE_VIRUX.AA-O, Dela Paz wrote.

Accident Or Design

“It’s not clear if these kinds of malware were intentionally created or if they are the result of a highly-infected user system,” he blogged. “While some of these problems largely affect malware analysts (such as inaccurate detection names), the biggest issue for users is how it affects cleanup. An incomplete clean operation could lead to the creation of a damaged variant of the malware, which might allow them to evade detection by security software.”

If this is deliberate, it could be a tactic that cyber-criminals can use to increase the effectiveness of their attacks, he argued. For example, because PE_VIRUX is polymorphic, WORM_LAMIN variants will also be harder to detect, he wrote.

“This is pure assumption mind you…but this trick of infecting a malware with a virus is being done by others as well to make life easier for their purposes, not to mention adding some layer of protection from AV [antivirus] scanners,” Ivan Macalintal, manager of advanced threats research at Trend Micro, told eWEEK. “Why recreate something when there is already a working code for it?”

Dmitry Bestuzhev, senior malware researcher at Kaspersky Lab, said that this type of activity is nothing new.

“We saw it several times in the past…[with] Virut and Sality infecting any kind of malware, including Trojan.Banker,” he said. “There is an interesting situation with the detection in this case. On the one hand, we have a possible situation when an AV can detect Virut, or any other file infector, and clean and then deliver a clean copy of Banker for the customer and, of course, the Banker will infect the machine and will [steal] money. On the other hand we can have situations when the initial malware, infected by another malware, may be detected as an initial Trojan and a delete action could be taken to delete it.”

“In practice I saw many cases where the infected malware is detected by many AVs, since many of them detected Virut, but… when the banker became clean of Virut it had a really low rate of detection,” he added. “So, here we’re talking about quality of signature and heuristics for detection. If the AV has a bad signature, naturally after the Virut disinfection it won’t just detect the banker.”

Typically, this does not affect the detection of individual threats however, Eric Chien, technical director of Symantec Security Response, told eWEEK. Once a detection engine detects the outer layer of a malicious file and cleans it, the underlying file is then exposed and can be detected and removed, he said.

“It’s unlikely,” Chien said, “that the main motivation behind malware affecting other malware is competitive in nature. In the underground economy, there are many non-technical people who are trying to make a quick buck. In some cases, these people who attempt to spread malware just don’t realise that they themselves are infected and their malware has been infected by a file infector from their own machine.”

In other cases, attackers are told to wrap their malware with a file infector to increase their returns, he said. Unknowingly, they start distributing infected Trojans.

“From their perspective they don’t mind letting another piece of malware piggyback on their own; all they care about is how much money they can make,” Chien said.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Indian Tribunal Suspends Meta’s Data Sharing Ban

After Meta had warned that India's data sharing ban could collapse WhatsApp's business model, tribunal…

1 hour ago

UK’s CMA Begins Probe Into Apple, Google Mobile Ecosystems

British regulator confirms investigation of Apple and Google's domination of app stores, operating systems, and…

3 hours ago

Samsung Touts AI Features With Galaxy S25 Smartphones

Launch of Samsung's Galaxy S25 Ultra, Galaxy S25+ and Galaxy S25 sees the handsets described…

5 hours ago

LinkedIn Sued Over Alleged Use Of Private Messages To Train AI

Microsoft's LinkedIn sued for allegedly using customer data, including private messages, to train AI models…

7 hours ago

Amazon To Shutter Sites In Unionised Province In Canada

1,700 jobs to be lost in Quebec, as Amazon says it will close seven sites…

22 hours ago

Google Wins UK Injunction To Halt Russian Enforcement Of Judgements

Google wins permanent injunction from London's High Court to prevent enforcement of Russian YouTube judgements

24 hours ago