Again and again and again… That’s what comes to my mind every time when I see a new variant of the Kavo family and, most recently, also the Hilot family. These malware samples are machine-generated and their authors can develop a “completely new” set of samples based on a simple change made to the generator itself. What’s the problem here? These changes are not random as we earlier thought, they’re precisely targeted against the most popular AV engines.
Hello again, this time I would like to present a story of one successful malware family. Why successful? Because it established a new way of spreading some time ago and mainly because it always scored very well in our statistics of malware detected in the wild. And what’s Kavo? It’s a name derived from the filenames of some binaries used by the malware family (kavo0.dll, kavo1.dll etc.). The malware family is known under different names such as Oliga, Kavos, Kamso, OnLineGames, Taterf etc.