Scribble piggybacks Koobface

piggybackIn recent weeks we’ve seen Koobface move its updating mechanism to the vast array of bots it controls. Now when you download the latest version of the Trojan, you end up fetching it directly from the machine of someone else who’s already infected. Typically the update comes in a file called setup.exe, which you fetch directly from an IP address.

But while researching this, we found that a fair proportion of these files contained more than just your regular Koobface nastiness. In particular we’ve seen a prevalence of Scribble, Virut and Vetor file infections – we’ve mentioned before that these viruses look like they’ve been written by the same authors.

So what can we conclude? One possibility is that the Koobface authors are deliberately trying to get the most bang for their buck – you download one file, but you get two pieces of malware. Not only do you join their botnet, but you also infect all the files on your network. Another possibility that the authors have more faith in the virus-infected file getting on to the system unflagged.

Personally I don’t think either of these is particularly likely – the Koobface authors update their code fairly frequently, and I’d expect them to focus on the virus instead if they thought that increased their chances of slipping past the radar undetected. In fact some of these viruses are fairly old, so they significantly increase the chance of the file being flagged.

I believe it’s more likely that the viruses were already active on these bots’ machines. When these computers became part of the update mechanism for the Trojan, the existing virus will have spotted these new executable files and pounced – setup.exe, which used to “just” be Koobface malware, suddenly acquires a new malignant layer.


Richard Wang in the Boston lab, put me on to this verse by the Victorian era mathematician Augustus De Morgan, which I feel applies to this malware-on-malware action:

Great fleas have little fleas upon their backs to bite ’em,
And little fleas have lesser fleas, and so ad infinitum.
And the great fleas themselves, in turn, have greater fleas to go on,
While these again have greater still, and greater still, and so on.

Image source: Kaptain Kobold’s Flikr photostream (Creative Commons 2.0)