Scribble malware scrambled

Since we first mentioned it on the blog we have seen rather a lot of our favourite polymorphic, mid-infecting friend that is the W32/Scribble virus. So much so that it has almost become a nuisance for us. But not quite…

Not much seems to get written about our runtime detection capabilities on the blog and I’m probably most to blame for that. Truth be told I often don’t seem to find the time, but I have become a bit fed-up with hearing so much about scribble over the course of the year that I wanted to make the point that it’s really not so difficult. A polymorphic, mid-infecting virus sounds pretty impressive, and in a way it is. Historically it could be argued that this particular category of malware is the most difficult for the likes of us at SophosLabs to deal with. But regardless of how they look from infection-to-infection ultimately these nasties do pretty much exactly the same thing when they run. Consistently. Every time. I mean it’s just a computer program after all, right?

With the release of Sophos Endpoint Security and Control 9.0 (October) we included some significant improvements to our runtime detections capabilities. One such improvement is the ability to detect code injection at runtime. Lab testing has proven that HIPS/ProcInj-001 will consistently terminate scribble when it attempts to inject it’s code into the running Windows process winlogon.exe, preventing the infection and the possibility of losing valuable files through misinfections of the virus. So on the rare occasion that we don’t detect a new variant of scribble before it executes we can be confident that it will be stopped almost as soon as it starts.