Malware researchers are warning of a complex new set of file infection attacks that are spreading their way around the globe and appear to bear fairly complex capabilities, including the ability to circumvent Microsoft’s Windows Firewall security software.
Dubbed VIRUX by researchers at TrendLabs, experts with the company said they have received a series of reports from several different countries regarding the emerging file infector campaigns, which spread via the Web, feature more than one layer of encryption and multiple infection techniques.
Trend indicated that the threat is seemingly propagating in the U.S. faster than in any other region at this point.
Among the different infection methods employed by the VIRUX attacks that the researchers have observed are those utilizing techniques including:
-cavity: whereby the virus inserts its code into available spaces within the normal file
-appending: through which the virus inserts its code after the normal file’s code
-prepending: when the virus inserts its code before the normal file’s code
-entry-point obscuring: a more complex infection technique used to evade immediate detection
“VIRUX hunts down target files and infects them using more than one infection technique and sometimes more than one encryption routine,” TrendLabs researchers said in a blog post.
The attacks infect both .EXE and .SCR files, turning them into VIRUX variants themselves.
“The ultimate payload might explain the pains that the cybercriminals took to make cleaning PCs of this infection difficult: this file infector connects to IRC servers, after which it joins a channel to receive and execute commands on the affected PC. It is ‘anything goes’ from there,” the experts said.
One VIRUX variant also connects to Web sites to download additional files, while yet another morphs into a Trojan attack.
Researchers likened VIRUX to an earlier file infector threat, VIRUT, but indicated that the new threat is far more serious.
“VIRUX is indeed a notch higher than VIRUT in terms of complexity, which is the cybercriminals’ bid for malware persistence and increasing likelihood of re-infection,” they said.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.