India catches the Beebone virus2 min read . Updated: 24 Jul 2013, 03:26 PM IST
Around 10% of India has been affected by the Trojan win32 virus, says security firm Symantec
Mumbai: It is assuming many names and variants, and over the past fortnight, the Trojan win32 virus, nicknamed Beebone, has been spreading its roots in India.
The Indian Computer Emergency Response Team (CERT-In) put out an alert on 10 July cautioning that the Beebone “is a Trojan downloader family that silently downloads and installs other malware and programs without user consent".
On 24 July, security firm Symantec Corp. confirmed the spread of the virus. In a media release, it said that as on 21 July, around 10% of India was affected by this virus.
Beebone is not new. In fact, W32.Changeup, as it is also called, was first discovered in August 2009, and was identified as among the top 10 malicious code families globally in 2012, according to the Symantec Internet Security Threat Report.
Beebone primarily spreads through mapped and removable drives, which is the infection method for six out of the top 10 worms in India, according to Symantec.
The worm can spread through file-sharing programs and is capable of downloading more threats and misleading applications on to a compromised computer.
Furthermore, the worm installs a file-sharing program on the computer and attempts to propagate by copying itself into the shared folder using a number of file names that have been selected to appear enticing to file sharers.
Many users may not even know they are infected, as the worm exploits the Autorun feature in Windows to execute automatically.
Unfortunately, while the drives may be removable, the infection is not as easy to eliminate, notes Symantec, since the creators of Beebone use polymorphism—a technique used by malware authors to evade detection by traditional security software, which uses signature-based methods.
When using polymorphism, instead of using one piece of malware to infect vulnerable systems, the malware authors generate many variants of the same malware that vary ever so slightly from one another, making it difficult to detect. This is because security technologies are traditionally dependent on fingerprinting to detect malware, and making small changes can help evade detection.
In a blog, Hyun Choi, a researcher with Microsoft Malware Protection Centre, highlighted the problem.
“Where Vobfus (short for, Visual Basic Obfuscated) is detected, we often find Win32/Beebone too; thus exists the cyclical relationship between Vobfus and Beebone, the two threat families that are intrinsically related. This cyclical relationship between Beebone and Vobfus downloading each other is the reason why Vobfus may seem so resilient to antivirus products," Choi wrote. “Vobfus and Beebone can constantly update each other with new variants. Updated antivirus products may detect one variant present on the system; however, newer downloaded variants may not be detected immediately."
Symantec recommends that customers take specific steps to control the execution of applications referenced in autorun.inf files that may be located on removable and network drives.
CERT-In said users must refrain from visiting untrusted websites while ensuring that their anti-virus software is consistently updated.