SOFTWARE HOUSEÂ Microsoft’s security researchers have discovered a pair ofmalwareÂ programsÂ that help one another to avoid being detected by antivirus software.
Known as Vobfus and Beebone, the collaborating malware prove difficult to remove from infected machines as they work together, foiling the removal by regularly downloading updated versions of their respective partners.
Vobfus is a piece of Visual Basic malware that originally was found in September 2009 and is known as a program that downloads other code modules.
“The obfuscation of the malicious payload of Vobfus started with simple string manipulation, and it has evolved to a more complex string decoding,”Â Hyun Choi of Microsoft’s Malware Protection Centre said in a blog post.
Choi explained that Vobfus is downloaded by other malware and it’s being downloaded by Win32/Beebone downloaders, which are a family of compiled Visual Basic Trojan downloaders that are known to downloadÂ malwareÂ threats.
“Based on our observations, Beebone variants then download other variants of Vobfus, creating an infection cycle that means where you see one of these families, you’ll often see the other,” Hyun explained.
“This cyclical relationship between Beebone and Vobfus downloading each other is the reason why Vobfus may seem so resilient toÂ antivirusÂ products. Vobfus and Beebone can constantly update each other with new variants.”
Microsoft warned that updated antivirus products might detect one variant present on the system, but newer downloaded variants might not be detected immediately.
“A typical self-updating malware family that just updates itself can be remediated once it is detected, because once removed from the system it cannot download newer versions of itself,” Hyun explained. “In the case with Vobfus, even if it is detected and remediated, it could have downloaded an undetected Beebone which can in turn download an undetected variant of Vobfus.”
To help prevent infection by collaborating malware, Microsoft advised users to be cautious when clicking external links, keep browsers and all other installed software up to date to help prevent software exploits and disable autorun functionality.