A new instant messaging (IM) worm has been spotted using a number of evolved techniques to beat installed security programs and catch even suspicious users off-guard.
According to BitDefender, Backdoor.Tofsee’s cleverness starts with its choosiness – it infects only PCs running Skype and Yahoo Messenger, leaving other users uninfected.
If a user running one of these applications is chanced upon, it then checks to see whether the target system is running suspect code through a virtual machine layer, a security technique used by some but not all antivirus systems, and also by researchers debugging malware. Again, if such a defence is detected, it terminates itself.
Alternatively, as a backup, it tries to subvert the virtual machine detection system by spawning a ‘suspended’ child process in memory. It then kills the parent process that might be detected by the security system.
It is not clear how successful this tactic is, nor whether creating child processes can keep it out of reach of the security system, but on the face of it this looks like a well thought out attack on current virtual machine security.
At this stage, the worm has a ‘last line of defence’, a rootkit, which attempts to hide its own files and block access to a range of antivirus-related URLs, support and download forums and Windows update. This is a more standard technique but no less effective if the worm finds a home on the PC.
Perhaps its cleverest tactic of all is the way it spreads beyond the initial infection. Instead of simply opening sessions with contacts it finds in the infected user’s address book, it waits until a conversation is in progress before opening a chat window with a malicious link.
The standard way of spreading via IM is to open a chat session at a random point with a random contact. This more sophisticated method would be far more likely to catch Skype and Yahoo users off-guard.
Backdoor-Tofsee can also tailor its conversations to a range of countries and languages, including Spanish, German, Dutch, Italian and French, as well as English, and is able to vary the conversational openers from one message to another.
After all this, the purpose point of the worm is almost mundane. As with almost all Trojan malware out there, it tries to take control of the system for any one of a number of purposes. The use of Skype and Yahoo Messenger is merely a convenient channel.