It might come as a surprise to some that there is an underground economy online which revolves around the sale of malware. However, with botnets for hire by the hour and rootkits to purchase outright such off-the-shelf security nightmares have been the norm for a number of years now. What is unusual about the Limbo 2 Trojan is that it costs so much, topping out at some $1300 for the user license. Yes, without any hint of irony the authors of these malware applications do seek to protect their intellectual property with end user licensing schemes. The fact that for the most part they have stolen the code from someone else and simply adapted it slightly to create a new version is neither here nor there.
But the reason for the high value of Limbo 2 is simple: it comes with a guarantee of being able to evade the top ten anti-virus solutions. Not just evade them now, but do so continuously thanks to a morphing shell which provides in effect a cloaking device to hide the Trojan from the prying eyes of AVG, McAfee, Symantec and their ilk. So the shell changes, but unfortunately the payload remains constant: stealing financial data.
PrevX, the security company which uncovered Limbo 2, has analysed the code and confirmed that the Trojan can produce pretty much infinite variants to avoid detection by signature-based AV solutions. So while the AV researchers will, soon enough, produce a signature to detect Limbo 2 the chances are high that it will morph into an unrecognised variant within hours.
Jaques Erasmus, the Director of Malware Research with PrevX, told SCMagazine that Limbo 2 is "by far the most sought-after trojan in the underground” and added that it is able to "inject a code into a live banking site - if you log into a bank, it is able to hijack your connection and adds an extra field into the page.”
Although it does sound like good cause for some doom and gloom predictions, the truth is that now that Limbo 2 code has found its way into the hands of one security firm it will be dissected and distributed amongst numerous other security research labs. New Trojans capable of morphing to avoid detection hit the market more frequently than you might imagine, and security researchers find the key characteristics that can produce a generic signature quicker than you might think as well. Even if simple signature detection is not possible, then heuristic techniques and other behaviour based detection technologies almost certainly will kick in.
