Trend Micro has recently been encountering more hybridized malware files. These are conventional malware files (such as worms or Trojans) that have been infected themselves. Consequently, they display both sets of behaviors– those of the worm/Trojan and of the file infector.
It’s not clear if these kinds of malware were intentionally created or if they are the result of a highly infected user system. While some of these problems largely affect malware analysts (such as inaccurate detection names), the biggest issue for users is how it affects cleanup. An incomplete clean operation could lead to the creation of a damaged variant of the malware, which might allow them to evade detection by security software.
If this were deliberate, however, it could be an effective tactic that cybercriminals can use to increase the effectiveness of their attacks. Both groups–those behind PE_VIRUX and WORM_LAMIN, respectively–benefit.
- Because PE_VIRUX is polymorphic, WORM_LAMIN variants will also be harder to detect.
- PE_VIRUX can propagate along with WORM_LAMIN. The worm acts, in effect, as an “affiliate program” of the file infector.
- Both malware families change certain user settings in such a way that system security settings are lowered, benefiting both.
- The payloads of both malware families are exhibited.
Taken together, these will lead a user’s PC to be completely compromised and to fall under the control of malicious users.
There are also various scenarios as to how these attacks could take place, two of which are:
- The worm downloads/drops and executes the file infector (or vice versa).
- The worm is released in the wild, already infected by the file infector.
As previously mentioned, there is no proof that these kinds of threat are intentional. However, considering the benefits of the virus-worm tandem, it is not out of the question that we may see similar attacks in the future. Who knows?