Virtumundo – if you are reading computer security blogs then the chances are high you have already heard of it. Virtumundo is one of those bits of malware that seems to be surviving, if not thriving, in the wild and appears to be responsible for opening the virtual door to other types of infections.
Just to recap, Virtumundo is a Trojan that injects itself into browsers to modify search results and bombard you with popups (typically fake Anti-Virus related popups). One thing that sets Virtumundo aside from a lot of other malware though is the effort that goes into maintaining it.
We’ve been tracking Virtumundo on our honeypots and over the last few weeks and there has been a constant stream of regular updates. These are typically just repackaged DLLs, packaged inside a heavily obfuscated wrapper (a technique commonly referred to as Server Side Polymorphism – the encryption engine is separate from the malware itself, unlike polymorphic viruses). Virtumundo will download updates at a rate of several per day but the actual file may only change once or twice every 24 hours.
Fortunately, it is quite easy to manually spot likely Virtumundo infections – just run (from the command prompt)
dir %windir%\system32 /od
If you see several randomly named dlls then it is probably bad news. Here is what we found on our compromised box:
The really bad news however is that there is going to be other malware on the system. From running different Virtumundo installers, we managed to gather rootkits, polymorphic viruses, spamming tools, fake Anti-Virus and downloaders.
It looks like the guys behind Virtumundo are putting a significant amount of effort in to 1) make pattern based detection tricky and 2) provide a reliable malware delivery service to those who seek it. Point 1 we can deal with – point 2 is a far bigger challenge.