Think of the movie Mr. & Mrs.Smith and the first thing that comes to your mind is probably the love-hate relationship the protagonists share. When things are good, they experience a functional marriage, to say the least. But when things aren’t, they go to great lengths to attempt to kill each other, any chance they get. Malware are no different in this aspect. Under favourable conditions they work in harmony on the computer, sharing its resources, stealing data and proliferating while staying undetected the whole time. However, when a reversal of fortune occurs, the malware don’t just destroy each other, they often end up causing serious damage to the host computer too.
There are several examples of symbiotic relationships, both intentional and inadvertent. A file infector like Virut could inadvertently gain worm-like capabilities when it infects an auto-run malware, and start spreading through removable media. A keylogger with an existing detection by an anti virus vendor, if infected with a new variant of another file infector such as Sality, could now go undetected, and start logging away keystrokes again. There have been horror stories in the past involving an ancient network worm getting infected with Sality, such that Sality gains network-spreading capabilities, whilst the erstwhile network worm gains camouflage. In terms of planned partnerships malware toolkits like SpyEye have now combined with the Zeus toolkit to deliver an even more deadly concoction of malware.
On the flip side malware relationships, regardless of specific intent, can turn antagonistic. For example, a file infected with two entirely different file infectors, such as Sality and Virut, could end up not just corrupting the original file, but could also expose a previously undetected layer of one malware component to Anti-Virus detection due to an extant detection of its accidental partner. Many malware of yesteryear ended up being detected even before they left their creators’ computer because they unknowingly had a Parite (an old-school file infector) wrapper. Sometimes the mutual hatred between malware can be made explicit, as was the case in 2004 when the authors of the email worms Netsky, Mydoom and Beagle vied for supremacy in the global prevalence stakes by attempting to uninstall each other on the victim’s computer.
Where do these malware relationships leave the poor victims and their avowed protector, the Anti-Virus industry? Well, the scenario where a would-be-undetected piece of malware is compromised by a detected file infector can be seen as a positive result. However, the overall implications of malware relationships are generally negative for the security industry. As mentioned earlier malware can combine to corrupt an original host file, or render each other undetected, or provide each other with new malicious powers. The end result could be severe complications in the subsequent detection, cleanup and disinfection procedures. An unpalatable scenario indeed. As ever we recommend keeping your computer patched and up-to-date with Anti-Virus data to reduce the chances of it becoming a malware speed-dating and shaadi venue.
Credits:
The love-hate image courtesy of geeks.pirillo.com
Lokesh Kumar
K7TCL