Modern Musical Malware

A few years ago a new breed of virus emerged with an unusual payload. It would cause the infected computer to play music, without any action by the user. This virus was not particularly widespread, and was active for only a relatively short period of time.

Like so many past malware threats, this one has re-emerged in a far more sophisticated form. While the current variant is similar to its predecessor in some aspects, it is significantly different in the exact symptoms and the characteristics of the infection.

As far as the symptoms, this next-generation malware plays a random radio station when activated; it may be broadcasting music, a talk show, news, or a commercial at the time. And instead of playing continuously, it plays in short bursts of only a few seconds at a time.

When this broadcast is occurring it is not coming through an Internet browser; indeed, there may be no application active on the screen or in the taskbar. The Applications tab of Task Manager will show nothing related to this activity.

This unpredictability and short duration make it very difficult to identify, terminate, and disinfect the malicious process or processes. The principal infection is embedded in a rootkit; thus no malicious processes are normally visible in Task Manager.

By the same token, a netstat command normally reveals no active connections to the source of the broadcast. Entering the command at the exact moment the broadcast is active should unmask the connection, but the timing makes this a very difficult task to accomplish.

The rootkit itself is very advanced and avoids detection by even most of the specialized anti-rootkit tools. As of early August, 2012 it is not found by Norton Anti-Virus, McAfee, AVG, or any of the general-purpose antivirus tools tested.

While the term Advanced Persistent Threat is commonly used these days to describe such sophisticated malware, a more apt description of this offender might be Advanced Intermittent Threat. The key distinction is the fact that the payload is only active for brief bursts of time.

On one computer recently infected by this virus, ComboFix ran for more than one hour and completed normally, but did not clear the infection. TDSSKiller, from Kaspersky, and FixTDSS, from Symantec, both were blocked from running.

Some cases of rootkit infections can be resolved by using the Fixmbr command from the Recovery Console. But in this case it was likely that the new Master Boot Record created by that command would also replicate the infection.

In the end, this infection was removed successfully. But virtually all of the traditional methods failed, and only a combination of persistence and a wide assortment of software tools made it possible to return this computer to service free of malware.