It might come as a surprise to some that there is an underground economy online which revolves around the sale of malware. However, with botnets for hire by the hour and rootkits to purchase outright such off-the-shelf security nightmares have been the norm for a number of years now. What is unusual about the Limbo 2 Trojan is that it costs so much, topping out at some $1300 for the user license. Yes, without any hint of irony the authors of these malware applications do seek to protect their intellectual property with end user licensing schemes. The fact that for the most part they have stolen the code from someone else and simply adapted it slightly to create a new version is neither here nor there.

But the reason for the high value of Limbo 2 is simple: it comes with a guarantee of being able to evade the top ten anti-virus solutions. Not just evade them now, but do so continuously thanks to a morphing shell which provides in effect a cloaking device to hide the Trojan from the prying eyes of AVG, McAfee, Symantec and their ilk. So the shell changes, but unfortunately the payload remains constant: stealing financial data.

PrevX, the security company which uncovered Limbo 2, has analysed the code and confirmed that the Trojan can produce pretty much infinite variants to avoid detection by signature-based AV solutions. So while the AV researchers will, soon enough, produce a signature to detect Limbo 2 the chances are high that it will morph into an unrecognised variant within hours.

Jaques Erasmus, the Director of Malware Research with PrevX, told SCMagazine that Limbo 2 is "by far the most sought-after trojan in the underground” and added that it is able to "inject a code into a live banking site - if you log into a bank, it is able to hijack your connection and adds an extra field into the page.”

Although it does sound like good cause for some doom and gloom predictions, the truth is that now that Limbo 2 code has found its way into the hands of one security firm it will be dissected and distributed amongst numerous other security research labs. New Trojans capable of morphing to avoid detection hit the market more frequently than you might imagine, and security researchers find the key characteristics that can produce a generic signature quicker than you might think as well. Even if simple signature detection is not possible, then heuristic techniques and other behaviour based detection technologies almost certainly will kick in.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

9 Years
Discussion Span
Last Post by rexibit

Wow, this is not good news for us in the short term, but in time we will have protection against it using heuristics.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.