Limbo 2 Trojan comes complete with guarantee of invisibility
Please support our Hardware and Software advertiser: Programming Forums
Jul 21st, 2008, 6:07 pm
It might come as a surprise to some that there is an underground economy online which revolves around the sale of malware. However, with botnets for hire by the hour and rootkits to purchase outright such off-the-shelf security nightmares have been the norm for a number of years now. What is unusual about the Limbo 2 Trojan is that it costs so much, topping out at some $1300 for the user license. Yes, without any hint of irony the authors of these malware applications do seek to protect their intellectual property with end user licensing schemes. The fact that for the most part they have stolen the code from someone else and simply adapted it slightly to create a new version is neither here nor there.
But the reason for the high value of Limbo 2 is simple: it comes with a guarantee of being able to evade the top ten anti-virus solutions. Not just evade them now, but do so continuously thanks to a morphing shell which provides in effect a cloaking device to hide the Trojan from the prying eyes of AVG, McAfee, Symantec and their ilk. So the shell changes, but unfortunately the payload remains constant: stealing financial data.
PrevX, the security company which uncovered Limbo 2, has analysed the code and confirmed that the Trojan can produce pretty much infinite variants to avoid detection by signature-based AV solutions. So while the AV researchers will, soon enough, produce a signature to detect Limbo 2 the chances are high that it will morph into an unrecognised variant within hours.
Jaques Erasmus, the Director of Malware Research with PrevX, told SCMagazine that Limbo 2 is "by far the most sought-after trojan in the underground” and added that it is able to "inject a code into a live banking site - if you log into a bank, it is able to hijack your connection and adds an extra field into the page.”
Although it does sound like good cause for some doom and gloom predictions, the truth is that now that Limbo 2 code has found its way into the hands of one security firm it will be dissected and distributed amongst numerous other security research labs. New Trojans capable of morphing to avoid detection hit the market more frequently than you might imagine, and security researchers find the key characteristics that can produce a generic signature quicker than you might think as well. Even if simple signature detection is not possible, then heuristic techniques and other behaviour based detection technologies almost certainly will kick in.
But the reason for the high value of Limbo 2 is simple: it comes with a guarantee of being able to evade the top ten anti-virus solutions. Not just evade them now, but do so continuously thanks to a morphing shell which provides in effect a cloaking device to hide the Trojan from the prying eyes of AVG, McAfee, Symantec and their ilk. So the shell changes, but unfortunately the payload remains constant: stealing financial data.
PrevX, the security company which uncovered Limbo 2, has analysed the code and confirmed that the Trojan can produce pretty much infinite variants to avoid detection by signature-based AV solutions. So while the AV researchers will, soon enough, produce a signature to detect Limbo 2 the chances are high that it will morph into an unrecognised variant within hours.
Jaques Erasmus, the Director of Malware Research with PrevX, told SCMagazine that Limbo 2 is "by far the most sought-after trojan in the underground” and added that it is able to "inject a code into a live banking site - if you log into a bank, it is able to hijack your connection and adds an extra field into the page.”
Although it does sound like good cause for some doom and gloom predictions, the truth is that now that Limbo 2 code has found its way into the hands of one security firm it will be dissected and distributed amongst numerous other security research labs. New Trojans capable of morphing to avoid detection hit the market more frequently than you might imagine, and security researchers find the key characteristics that can produce a generic signature quicker than you might think as well. Even if simple signature detection is not possible, then heuristic techniques and other behaviour based detection technologies almost certainly will kick in.
•
•
•
•
This blog entry was written by Davey Winder, staff writer aka happygeek. It has been filed under the Hardware and Software category. It has received 2,996 views, 1 comment(s), and 35 linkbacks. It was promoted to featured news status Jul 21st, 2008.
rexibit | Junior Poster in Training | Jul 22nd, 2008
•
•
•
•
Wow, this is not good news for us in the short term, but in time we will have protection against it using heuristics.
Related Blog Entries
- Will Moonfruit destroy Twitter? (15 Hours Ago)
- Yahoo Announces 'Green' Data Center Powered by Niagara Falls (3 Days Ago)
- Neverland is Your Virtual Linux Playground (3 Days Ago)
- Pink iPhone 3GS is hot stuff (3 Days Ago)
- Sarah Palin Hacked Off (4 Days Ago)
Related Forum Threads
- CareerSaver Opens Latin America Market (Show Off your Projects)
- best password (Geeks' Lounge)
- Trojan.virtumonde/winfixer - can't start windows normally (Windows NT / 2000 / XP / 2003)
- Wish me luck (Geeks' Lounge)
- Beware The MicroSoft HoneyPot is out to find you! (Viruses, Spyware and other Nasties)
- About:Blank in HighjackThis (Viruses, Spyware and other Nasties)
- PHP .tpl format template help! URGENT! (PHP)