VIRUT Delivers Polymorphic Punch

By Matthew Hines  |  Posted 2009-02-17 Print this article Print

On the heels of last week's report on VIRUX, researchers have directed their interests back at the VIRUT file infection family that begat the other strain of malware attack.

As experts at Symantec highlighted in a blog on Monday, polymorphic file infectors like VIRUT have been around for almost two decades now (1990 is almost 20 years ago, wow) but the latest iteration of the attacks, Virut.CF, is particularly bothersome and has been proliferating rapidly across enterprise networks. In addition to spreading quickly via open file shares, the attack is very hard to remove, Symantec experts said.

"Virut went through many revisions before the CF variant surfaced. This particular variant uses many advanced techniques to avoid detection and removal. None of the techniques are new, but have been used effectively within Virut. Some of the techniques employed include an advanced polymorphic engine, spaghetti code, and encryption," writes researcher Patrick Fitzgerald.

As with the VIRUX offspring, Virut.CF employs multiple layers of encryption, with varying levels of complexity, making it even harder to detect for AV vendors. Some versions of the threat even check system details such as CPU speed, illegal instructions, and API address manipulation to detect potential discovery. Small changes in the program's makeup make it almost impossible to keep a bead on, Fitzgerald said. More than complexity, it's Virut.CF's ease of customization that makes it truly annoying it seems.

Once onboard a computer, the thing copies itself all over the place too. And then, it employs so-called Entry Point Obfuscation (EPO) to help evade detection.

"The infection routine will point to the entry point of the first or second layer of encryption mentioned earlier. Alternatively, the threat scans for certain APIs in Kernel32.dll and patches these to have its payload executed. This EPO not only makes analysis and detecting the threat more difficult, it also makes it significantly more difficult to safely repair the infected files," the expert said.

"With file-infectors, the code only has to be good enough to infect a large amount of files -- if it corrupts some files and renders them useless, it rarely affects the desired outcome or purpose of the threat. We have also seen malware becoming infected with Virut, which adds another layer of complexity in terms of detection and removal. Our engine attempts to detect and repair every sample infected with Virut, but because of the complications outlined above there are some exceptional cases where this is not possible," Fitzgerald writes.

It sounds like we'll be dealing with Virut and its family members for some time to come. Symantec recommends updated AV, use of URL filtering and more conservative network share policy enforcement to minimize Virut's impact.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel