Two days ago I wrote an article about the new trend of file replacing virus. However, as I was busy, I did not have much time to go deep into detail then. For this, I may have to say sorry because some of you, even people with security knowledge, may think there is nothing new in it. In fact, the new thing here is the big change in the strategy that the viruses use to easily fool antivirus experts. Today, when other stuffs have been settled, I am having more time to make a summary of our team's 4-year tracking and studying of the development of this virus type. Hopefully, you will have an overview of these viruses as well as their new trend.
First emerged in 2007, this type of virus has actually undergone 3 development stages:
The first stage (2007) - System-file replacing virus:
The viruses aim to replace Windows system files such as: explorer.exe, userinit.exe, winlogon.exe, rpcss.dll, lpk.dll, comres.dll, etc. To keep the system operate normally, the viruses make a backup for replaced files and refer to these files only when they have been executed. If we try to remove the infection by deleting infected files without restoring replaced file, the whole computer system will be broken. Unfortunately, almost all AVs have this problem. We already gave a warning on this issue at APCERT AGM.
The second stage (2009) - Startup-program file replacing virus
Instead of replacing system files, bad guys aim their arrows at startup programs. These programs are often registered under 2 following keys:
The viruses still make a backup for replaced files (similar to first stage). And yet, AV programs still make the same mistake when deleting infected files without restoring critical files.
The third stage (2010) - Software-Updater file replacing virus
Recently, there is a rising number of newly emerged viruses that overwrite software updaters. Many would mistakenly recognize them as the second stage ones. File replacing viruses in this period disguise themselves much better by faking (icons, version information, etc.) and overwrite updaters of some popular softwares (Adobe, DeepFreeze, Java, etc.).
Different from the two previous stages, they do not make any backup for replaced files. They only attack the software updaters and thus do not affect the software operations. In addition, with icons and version information faked by the viruses, we can not define whether or not the systems have been infected by using tools (such as Autoruns, Process Explorer, etc.).
Obviously, this is the new strategy that is causing many difficulties to experts.
You can visit the following links for more details:
These are 3 stages of file replacing virus development. They are still changing the infection methods as bad guys never stop finding ways to introduce troubles to AVs. This requires AV vendors to continually improve their softwares rather than just "detect and delete" infected files like the way they are doing now.
Nguyen Cong Cuong
Senior Malware Researcher