Morphing malware defies categorisation

By on
Morphing malware defies categorisation

Threat Report: Strange catch in Sydney honeypots.

Analysts working on West Coast Labs' Sydney honeypots last week were left scratching their heads after discovering new malware that shared traits with multiple families of categorised worms.

Last week the Sydney honeypots, part of West Coast Labs' global honeynet, took in 64 examples of malware – 58 of which were new to Australia – exactly double the number of new threats detected in the week prior.

But of greater interest to West Coast Labs researchers was how many of the new strains combined attack methods and features of multiple families of worms detected in the past.

One malware sample arriving December 13 from an address in Kazakhstan would usually be classified in the Allaple or Rahack families. It spreads via networks and email, dropping the file urdvxc.exe into the System32 system directory to spread itself further. The same technique was employed by a new strain of Allaple found last week.

Further information on this piece of malware can be gained from:

Another file caught was traced to an address in Denmark. It was identified back in 2008 and was a variant of worm first seen in 2006.

What perplexed researchers was how to categorise the bug. Although the IT security community agrees that it is a bot, it has been called "Rbot", "Sdbot" and "IRCbot", among other appellations.

Further information on this piece of malware can be gained from:

West Coast Labs was alarmed by the bug because one in four antivirus products fail to identify it.

Lysa Myers, Director of Research at West Coast Labs said that classifying malware had become a bigger challenge in recent years.

"There's the obvious problem of vendors simply choosing different names, or using different naming conventions," she said. "But beyond that, some of the older worm families are publicly available and have been developed by a number of groups. They may contain modules from Worm A and Worm B, plus some new things added "as needed" by the malware writer.

"So Vendor X's researcher can see a sample and name it based on the bits of Worm A and Vendor Y's researcher may go by the snippets of Worm B. Neither is necessarily wrong."

The problem has been caused, she said, by the economic incentives of writing malware.

"What makes this difficult is the criminal element: Malware writers have quite a bit of incentive to cooperate and share code or other useful bits of information that make their operations more profitable," she said.

"Security researchers do share an awful lot. But, like law enforcement agents, researchers have rules they must follow for how to behave ethically and be trust-worthy. Criminals don't have to play by the rules."

Copyright © . All rights reserved.

Most Read Articles

Log In

|  Forgot your password?