Yahlover Interrupts Software Evolution

A variation on an old IM-Worm is making the rounds in Thailand and Vietnam. It just may be interrupting your Virus Bulletin reading — the papers were good this year.
The worm is another AutoIt script compiled as “ssvichosst.exe” designed to interact with Yahoo! Messenger — among other things, the process searches for a window with the title “Yahoo! Messenger”, and then sends out one of a list of 10 fairly random Vietnamese or Thai messages to the user’s buddies. Sorry, we don’t have a speaker nearby right now, here are a few examples in which google didn’t pick up anything obscene:
“E may, vao day coi co con nho nay ngon lam”
“Vao day nghe bai nay di ban”
“Biet tin gi chua, vao day coi di”
“Trang Web nay coi cung hay, vao coi thu di”
It performs a number of operations to turn off Vietnamese based security products like “Bach Khoa AntiVirus” and “FireLion”, and disables system configuration tools. It will disable any display of folder options, and disable the task manager and registry tools.

In the meantime, Peter Szor‘s Virus Bulletin 2008 Conference presentation on the possibility of the true evolution of malcode is a fascinating idea, and must have been a lot of fun to work on, but does not hold a lot of weight. While Peter Szor deserves credit and respect for writing the book on malware in “The Art of Computer Virus Research and Defense”, this presentation didn’t seem to have the same impact. The abstract suggested that an evolution could occur in software code that attacks behavioral based products such that, “As a consequence, we predict behaviour-based virus detection would quickly become ineffective if malware can evolve based on the Darwinian paradigm.” A friend thought that such an occurrence is as likely as a pack of monkeys in front of keyboards eventually typing out Shakespeare. Too true.
Szor’s paper co-author C. Adami provided the academic efforts and study of evolution to back up their thoughts. The open source software Avida that he used to display potential can be found on sourceforge (was developed at the Michigan State Devolab), and creates an extraordinarily dynamic and fascinating evolutionary environment right on your laptop, with the text version looking much like this:

While it is apparent that bypass techniques can be designed against most any software solution, it will continue to require a human to figure out bypass techniques. It is interesting when malware authors write a separate and legitimate looking set of actions into their code for times when it is run in a VMWare environment, or if a debug dll is loaded. But no additional number of monkeys or amount of time will make it probable that randomly mutated software will figure them out in a sequence that will morph into such an evasive danger. Szor provided a couple examples of corrupted infections that their research team has found including macro viruses, and examples of viral payloads piggybacking on worms for crossbreeding, but there really isn’t any evidence that malcode payloads exist containing random mutations resulting in evasion of behavioral based security technologies.

The Yahlover script will continue making the rounds in Vietnam and elsewhere, infecting AV scanner-protected machines. No realistic amount of accidental corruption is going to help it past behavioral based protection, but maybe an unemployed script writing monkey could help.

This entry was posted in Online Fraud. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>