Slashdot Mirror
Trojan Installs Anti-Virus, Removes Other Malware
An anonymous reader writes "SpamThru takes the game to a new level. The new virus uses an anti-virus engine to remove potential 'rival' infectious code." From the article: "At start-up, the Trojan requests and loads a DLL from the author's command-and-control server. This then downloads a pirated copy of Kaspersky AntiVirus for WinGate into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL to avoid having Kaspersky refuse to run due to an invalid or expired license, Stewart said. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation."
Naturally, this is a Windows specific little bugger. So, if you're running anything else, you should be okay. (Of course, the systems that us /.ers support are another story...) Sophos is the only vendor of the few big boys I searched that seems to have any info on this mal-ware with the "SpamThru" name. Of course, there are other variant names of this, so check with your vendor against these other possible iteratives:
* Backdoor.Win32.Agent.uu
* Spam-DComServ
* TROJ_AGENT.BOR
Removal instructions can also be found here
Just another nameless binary in a crowd of 1's and 0's
http://www.secureworks.com/analysis/spamthru/
Or they can just go get a free version of Kaspersky courtesy of AOL.
I think that in the blaster days there was a copycat worm that downloaded the microsoft anti-blaster patch and installed it...
. jsp?docid=2003-081815-2308-99
...(in fact I know there was, because I got 'hit' with it).
That would be Welchia:
http://www.symantec.com/security_response/writeup
The only bad thing about Welchia (aside from it installing patches on your system without your permission) was that it did not throttle its traffic when it came to looking for new machines to patch. It flooded or swamped network segments as it probed new machines to work on. If Welchia had been a little more subtle with its scanning, Welchia's presence would have been less of an issue.
"Maybe I should at least check for rootkits"
/var/log/secure quickly gets longer than your arm and sooner or later someone will be in... and the rootkits are never far behind.
You seem to say that as a joke, but I will answer seriously - you should. Just because you use Linux doesn't mean that you won't get rootkit'd... I'm not sure about Kubuntu, but with fedora it comes as a default with SSH runing and allowing root login - if you don't stop that
You should put something like RKhunter on a clean install ideally so you can keep a check on whats going on. Also chkrootkit is quite good, although I find it a lot harder to read.
*''I can't believe it's not a hyperlink.''
It "seems" like a good thing, but there are three major reasons why it isn't:
A) It does so without you being aware.
B) It illegally installs software that you do not have a license for.
C) Most modern viruses and trojans are so complex that the only way to remove them is by disabling system restore and running thorough scans in safe mode and/or boot time scans.
So not only do you have no control over it and become an "unexpected software pirate", but you likely don't even get rid of the other trojans/viruses on your computer.
Plug: I have a step-by-step process writeup intended for the average joe on removing viruses at http://www.modemhelp.net/antivirus/
--
Bradford Liedel
ModemHelp.Net
Bradford L.
http://www.modemhelp.net
This should be reported, in very clear terms, to "enforcement@sec.gov". Or on the SEC's online form. Or to the SEC Division of Enforcement, 100 F Street, N.E. Washington, D.C. 20549. Because it's a felony being committed in support of a pump-and-dump stock scam.
The stock being hyped is "TTEN", which has very low volume. The SEC can find out who was trading it just before the spam run started. That's how to find the people behind this. They can follow the money.
So put together a comprehensive package listing all known stocks being hyped by this thing and the dates the spam began, and ship it off to the SEC. The SEC and FinCen (the U.S. Treasury Financial Crimes Enforcement Network) have the data mining tools to look at the stock transactions and find the people behind this. The SEC has gone after pump-and-dump spammers many times before, and they usually get them.
I was immediately outraged at the illegal install of software, but then I remembered the virus itself was illegal anyhow, ...
I wonder, though, if a retaliatory disinfector, or even a "beneficial nematode", would be legal?
This would be a server that not only detects and blocks worm infection attempts, but responds (using one of the vulnerabilities exploited by the original malware or one it installs - which are known to exist due to the malware's presence) by disabling the malware in the attacking computer, and perhaps patching the vulnerabilities exploited by the malware and/or (in the "beneficial nematode" case) copying itself to it. The former attacker is now no longer attacking, is protected from reinfection by the secondary infection, and perhaps becomes another source of counter-attacks.
Since it only counter-attacked, and even a passively-blocked attack without a counter-attack consumes resources (amounting to a DoS if sufficiently large and persistent), it could be argued that the counter-infection falls under the same principle as the use of force in self-defence. Or perhaps a "necessity defence" could be argued.
Of course one would have to be especially careful when designing such a self-reproducing tool. A significant issue would be accidental escape into the wild of a buggy version early in the development. Timeouts or "hayflick limit" reproduction counters seem advisable. And building them on pirated antiviral tools would be out of the question.
IANAL. Does anybody out there have a more informed opinion?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Viruses.
Nobody else has this sig.
Let's take a look at the career of last year's big pump-and-dump spammer:
"Computer Virus Broker Arrested for Selling Armies of Infected Computers to Hackers and Spammers
"Pump-and-dump spam domains go silent after botnet closure"
Spammers register pump-and-dump spam domains for use in spam runs. These domains are commonly discarded after a few days. The tactic is commonplace but the the arrest of alleged botmaster Jeanson James Ancheta, 20, of Downey, California, on 3 November has been accompanied by a radical shift in the landscape. "Up to recently, the graphs were all fairly smooth, with the stats showing that 12 days was about the maximum lifetime for this type of domain, while 30 per cent only lasted a day or under, and 10 per cent only lasted three hours or under," Shipp said. "This kind of activity just disappeared completely from the radar on 2 November."
Following up:
"Botnet Creator Pleads Guilty, Faces 25 Years"
Federal Bureau of Prisons Inmate Locator
California City Prison: "This medium security desert prison opened in 2000, and is a stunning sight, either by day when its monolithic forms stand out on the desert pavement like ancient Egyptian architecture, or by night when floodlights bathe the gleaming facility in an orange glow which can be seen from as much as 30 miles away."
Next spammer, please.
Copyright Infringement Alarm!!!
A bit amusing in the context, but let's be fair here, when you post someone elses work, please give them credit!
This is RMS's 'Right to Read'. It is copyrighted under a very free license. All you have to do is give credit to the writer. That is something most people do without thinking, because it is the Right Thing to Do.
Anyway, in case the AC gets modded into copyright infringement hell, the orignal text, aswell as some updated comments are available here. It's an interesting read.