What makes Warezov more interesting, however, is its update capability. Warezov is a form of metamorphic code. The malware can update itself every 30 minutes, pulling new functions from a series of Web servers that the attackers have located. It evolves its functionality on a regular basis. When its creators upload another stage of Warezov on the Internet, hundreds of thousands of infected hosts will pick up the new module and run it. The elements of Warezov that we have captured so far don't have any malicious payload functionality; they just continually look for their new stages to be loaded. As of this writing, it is not yet clear what the attackers plan to do with their compromised hosts. A subsequent malicious module has not yet been captured in the wild, so we will have to wait and see what other functionalities may soon exist. The attackers might be preparing to distribute a bot. They can then create a botnet that causes denial-of-service floods, keystroke logging or other nastiness.
As for defending against such malware, make sure you have a widely deployed antivirus and antispyware infrastructure, and update it on a daily basis. Also, filter unwanted attachments at your border mail servers and educate your users not to open email attachments.
This was first published in February 2007