What makes Warezov more interesting, however, is its update capability. Warezov is a form of metamorphic code. The malware can update itself every 30 minutes, pulling new functions from a series of Web servers that the attackers have located. It evolves its functionality on a regular basis. When its creators upload another stage of Warezov on the Internet, hundreds of thousands of infected hosts will pick up the new module and run it. The elements of Warezov that we have captured so far don't have any malicious payload functionality; they just continually look for their new stages to be loaded. As of this writing, it is not yet clear what the attackers plan to do with their compromised hosts. A subsequent malicious module has not yet been captured in the wild, so we will have to wait and see what other functionalities may soon exist. The attackers might be preparing to distribute a bot. They can then create a botnet that causes denial-of-service floods, keystroke logging or other nastiness.
As for defending against such malware, make sure you have a widely deployed antivirus and antispyware infrastructure, and update it on a daily basis. Also, filter unwanted attachments at your border mail servers and educate your users not to open email attachments.
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Ed Skoudis
Learn how social networking sites compound the insider threat risk, and explore how to mitigate the threat with policy, training and technology. Continue Reading
At Black Hat 2006, researcher Joanna Rutkowska unveiled a piece of machine-based malware called the Blue Pill. But is it a serious threat to your ... Continue Reading
Wi-Fi on airplanes seems like it will be unavoidable in the future, but what security risks does it pose? In this security threats expert response, ... Continue Reading