KBOT virus takes out system files with no hope of recovery

In a blast from the past, KBOT has been deemed the first “living” virus detected in recent years.

One of the largest data leaks ever traced back to Wawa's 2019 malware attack The Wawa breach may rank as one of the biggest of all time, comparable to earlier Home Depot and Target breaches.

It has been over a decade since the famous ILOVEYOU virus was let loose on the world, MyDoom was considered an email menace back in the day, and the Slammer virus is remembered for crashing the Bank of America's ATM service. 

Computer viruses and worms were once common but have now given way to more sophisticated and varied threats, including illicit cryptocurrency miners, Trojans, ransomware, and highly complex surveillance software designed to infiltrate mobile devices. 

However, sometimes there is a blast from the past -- as in the recent case of KBOT, a new virus making the rounds. 

The new malware was spotted by Kaspersky researchers. In a blog post on Monday, Kaspersky's Anna Malina said KBOT, a virus that spreads by injecting malicious code into Windows executable files, is the "first "living" virus in recent years that we have spotted in the wild."

See also: This Trojan hijacks your smartphone to send offensive text messages

KBOT is able to spread through Internet-facing systems, local networks, and removable drives. Once a system is infected, the malware writes itself to Startup and the Task Scheduler, infecting all .exe files on logical drives and shared network folders in its path. 

While scanning drives, the virus will add polymorphic code to .exe files and override functions of the IWbemObjectSink interface, a feature of Win32 apps. KBOT will also listen to connection events between logical drives and will use the API functions NetServerEnum and NetShareEnum to retrieve paths to other network resources in order to propagate. 

"Like many other viruses, KBOT patches the entry point code, where the switch to the polymorphic code added to the start of the code section is implemented," Malina says. "As a result, the original code of the entry point and the start of the code section are not saved. Consequently, the original functionality of the infected file is not retained."

KBOT makes use of a range of obfuscation tools and techniques to hide its activity, including string RC4 encryption, scans for DLLs related to antivirus software in order to suspend them, and the injection of code into legitimate, running processes. 

CNET: Foreign hackers are targeting more US government agencies, report says

If tampering with .exe files wasn't enough, the malware then attempts to perform web injections for the theft of a victim's personal data, which may include the credentials used to access online financial and banking services. 

Spoofing website pages is KBOT's preferred method and in order to do so, the virus will patch code functions in browsers including Chrome and Firefox, as well as the code of system functions for handling traffic. 

Before any major data theft takes place, however, the malware will first establish a link to its command-and-control (C2) server, of which related domains are stored in the hosts.ini file. C2 configuration and connection parameters are encrypted, and will send the bot ID, computer name, operating system, and lists of both local users and installed security software.

TechRepublic: Kubernetes rollouts: 5 security best practices

C2 commands include deleting and updating files, including instructions for updating bot modules or performing self-destruction. KBOT is also able to download additional malware modules that harvest user data including credentials, files, system information, and data relating to cryptocurrency wallets. Therefore, the new malware variant is one to watch.

"KBOT poses a serious threat because it is able to spread quickly in the system and on the local network by infecting executable files with no possibility of recovery," Kaspersky says. "It significantly slows down the system through injects into system processes, enables its handlers to control the compromised system through remote desktop sessions, steals personal data, and performs web injects for the purpose of stealing users' bank data."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0