Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trojan Installs Anti-Virus, Removes Other Malware

Posted by ryuzaki0 on from the clever-little-monkey dept.

An anonymous reader writes "SpamThru takes the game to a new level. The new virus uses an anti-virus engine to remove potential 'rival' infectious code." From the article: "At start-up, the Trojan requests and loads a DLL from the author's command-and-control server. This then downloads a pirated copy of Kaspersky AntiVirus for WinGate into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL to avoid having Kaspersky refuse to run due to an invalid or expired license, Stewart said. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation."

6 of 202 comments (clear)

  1. Other information about this... by Admin_Jason · · Score: 5, Informative

    Naturally, this is a Windows specific little bugger. So, if you're running anything else, you should be okay. (Of course, the systems that us /.ers support are another story...) Sophos is the only vendor of the few big boys I searched that seems to have any info on this mal-ware with the "SpamThru" name. Of course, there are other variant names of this, so check with your vendor against these other possible iteratives:

    * Backdoor.Win32.Agent.uu
    * Spam-DComServ
    * TROJ_AGENT.BOR

    Removal instructions can also be found here

    --
    Just another nameless binary in a crowd of 1's and 0's
  2. Link to the actual research by httptech · · Score: 4, Informative

    http://www.secureworks.com/analysis/spamthru/

  3. Re:This is great! by scottv67 · · Score: 5, Informative

    I think that in the blaster days there was a copycat worm that downloaded the microsoft anti-blaster patch and installed it...

    That would be Welchia:
    http://www.symantec.com/security_response/writeup. jsp?docid=2003-081815-2308-99

    ...(in fact I know there was, because I got 'hit' with it).

    The only bad thing about Welchia (aside from it installing patches on your system without your permission) was that it did not throttle its traffic when it came to looking for new machines to patch. It flooded or swamped network segments as it probed new machines to work on. If Welchia had been a little more subtle with its scanning, Welchia's presence would have been less of an issue.

  4. Re:This is great! by joe+155 · · Score: 4, Informative

    "Maybe I should at least check for rootkits"

    You seem to say that as a joke, but I will answer seriously - you should. Just because you use Linux doesn't mean that you won't get rootkit'd... I'm not sure about Kubuntu, but with fedora it comes as a default with SSH runing and allowing root login - if you don't stop that /var/log/secure quickly gets longer than your arm and sooner or later someone will be in... and the rootkits are never far behind.

    You should put something like RKhunter on a clean install ideally so you can keep a check on whats going on. Also chkrootkit is quite good, although I find it a lot harder to read.

    --
    *''I can't believe it's not a hyperlink.''
  5. The last guy to try this is in jail by Animats · · Score: 4, Informative
    but this guy is just too good. Not likely he'd have made a mistake.

    Let's take a look at the career of last year's big pump-and-dump spammer:

    "Computer Virus Broker Arrested for Selling Armies of Infected Computers to Hackers and Spammers

    "Pump-and-dump spam domains go silent after botnet closure"

    Spammers register pump-and-dump spam domains for use in spam runs. These domains are commonly discarded after a few days. The tactic is commonplace but the the arrest of alleged botmaster Jeanson James Ancheta, 20, of Downey, California, on 3 November has been accompanied by a radical shift in the landscape. "Up to recently, the graphs were all fairly smooth, with the stats showing that 12 days was about the maximum lifetime for this type of domain, while 30 per cent only lasted a day or under, and 10 per cent only lasted three hours or under," Shipp said. "This kind of activity just disappeared completely from the radar on 2 November."

    Following up:

    "Botnet Creator Pleads Guilty, Faces 25 Years"

    Federal Bureau of Prisons Inmate Locator

    • Name: JEANSON JAMES ANCHETA
    • Inmate number: 32392-112
    • Age: 21
    • Race: Asian
    • Sex: M
    • Projected release date: 12-25-2009
    • Location: CALIFORNIA CITY CORRECTIONAL INSTITUTION

    California City Prison: "This medium security desert prison opened in 2000, and is a stunning sight, either by day when its monolithic forms stand out on the desert pavement like ancient Egyptian architecture, or by night when floodlights bathe the gleaming facility in an orange glow which can be seen from as much as 30 miles away."

    Next spammer, please.

  6. Re:Potential for good, and evil by ArwynH · · Score: 4, Informative

    Copyright Infringement Alarm!!!

    A bit amusing in the context, but let's be fair here, when you post someone elses work, please give them credit!

    This is RMS's 'Right to Read'. It is copyrighted under a very free license. All you have to do is give credit to the writer. That is something most people do without thinking, because it is the Right Thing to Do.

    Anyway, in case the AC gets modded into copyright infringement hell, the orignal text, aswell as some updated comments are available here. It's an interesting read.