Trojan Installs Anti-Virus, Removes Other Malware

An anonymous reader writes "SpamThru takes the game to a new level. The new virus uses an anti-virus engine to remove potential 'rival' infectious code." From the article: "At start-up, the Trojan requests and loads a DLL from the author's command-and-control server. This then downloads a pirated copy of Kaspersky AntiVirus for WinGate into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL to avoid having Kaspersky refuse to run due to an invalid or expired license, Stewart said. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation."

Coming up next...

[Kjella]

...plenty other crapware removing that virus. Seeing how much of that crap can coexist on one machine, I imagine these people will be forced back in line. And I don't think anything like a "civil war" fought on user's computers will be good for the users either.

Re:This is great!

[UPi]

I was wondering how long before this actually happened. Back when my web server was under a barrage of malformed requests from infected IIS installations, I had the urge to create a script which would retaliate with exploiting, gaining access and patching the zombified computer... or at least, shut it down.

While I never actually did this, mostly due to lack of time and for fear of possible lawsuit, it was certainly possible. So now it's a reality, thanks to... whoever. I think it's a Good Thing.

Re:A wise move

[Pharmboy]

Actually, I am waiting for the BSA to come in and sue the people whose machines were "infected" with this pirated version of Kaspersky AV software. The BSA poses a greater threat than the spywear that was removed.

User: "I didn't install it! I swear!"
BSA: "Yea right, it just installed itself...."

Buy a Apple MacIntosh

[macaroo]

I sit here a happily run OSX 10.4.8 on my G4 powered Mac and laugh at the electronics and software Wars taking place in the MS World. I clean WIndows machines for a living an are not surprised at this development. Most machines can take a little malware infection, but are maintained when the owner can't boot anymore or the machine slows to a crawl.

Re:Buy a Apple MacIntosh

[Admin_Jason]

Of course your Mac is safe, the OP article spoke to the Windows-specific nature of the trojan. Keep talking up the Mac though. More and more people are moving toward it, and I could see a day where trojans, ad-wares, spywares, and virus-writers start seeing the merit of engineering their wares toward the Mac OS. Hmmm...writing wares for an OS based on an open-sourced kernel...yeah, there's no danger in that [/sarcasm]

On a more serious note, please tell us you are speaking metaphorically about your laughter, as laughing at the resource which, by your own admission, provides you a job, does not paint you in the best of lights. Laughing at the plights of others is not only in bad taste, it certainly does nothing to boost the image of the rest of the tech world. We, as technically-minded people, should be trying to help and educate those who are not as adept with IT security. Rather than laugh at the plight, try taking an understanding and resourceful approach. "Well Mr. So-and-so, it seems you've gotten this nasty little virus that actually is a fairly new kind of threat, which is why your AV didn't catch it. I actually read about this nasty bugger on a forum I visit, and have a solid way of removing it for you. Just to let you know, I have a Macintosh at home, and that is not even at risk since this was written for Windows. If you'd like, I'd be happy to schedule some time to go over the benefits of migration with you and your people (or family or employees, or friends)."

I bet that gets you further than the approach you mentioned in your post.

Says a lot about Kaspersky...

[Arkan]

... if virus authors are confident enough to use it as a mean to eradicate competition! This guy put enough faith in this AV to use it as defense on a compromised system. It kind of implicitly confess that, would the machine have been protected by Kaspersky, it couln't have been compromised.

Obligatory conspiracy theory: could it be a publicity stunt from Kaspersky themselves? Naaah, I'm certainly too paranoïd.

--
Arkan, who don't care anyway, as long as you can't patch DLL in-memory... on GNU/Linux

Re:Says a lot about Kaspersky...

[DarthChris]

Obligatory conspiracy theory: could it be a publicity stunt from Kaspersky themselves? Naaah, I'm certainly too paranoïd.

Obligatory shooting down your conspiracy - if they did, they'd get sued the shit out of them. The only thing that saved Sony (during the rootkit fiasco) was their size as a corporation, and I presume Kaspersky don't have that.

I'm more interested in seeing what Kaspersky's official response to this is.

Art imitates life

[digitalhermit]

In biology, we hear that it's generally not good to regularly use some types of anti-bacterial cleansers. After awhile they start wiping out the good or innocuos types, leading to proliferation of the undesirable types. My lawn guy says the same thing about some types of weeds; apparently they keep other, larger and hardier weeds from getting a stronghold. It's funny that in the future this may be how viruses are combated in electronic devices.

Done before?

[therufus]

Wasn't there a variant on the blaster worm that uninstalled the original blaster worm and replaced it with a new variant?

I'm sure this has been done before.

Ah, yes. The Welchia worm!

Boring. Next please...

Re:This is great!

[Tom]

Back in the days I actually installed this on my webserver. It was only after I had it running for a while that the number of exploited windos servers attacking me dropped. I'm very sure that there is a kind of ground layer of infected PCs and servers that will never be cleaned up by their admins.

In fact, I think there's a much larger percentage where something-bad-and-visible-happening-to-the-machine is the most reliable way to get its clueless idiot users to reinstall, activate the firewall and/or run a damn virus scanner.

Remember: 10 years ago, the script kiddies taking over your machine wanted to shut it down, just to show you who's boss. Today, the organized criminals taking over yourr machine want it to stay up, so they can push as much spam out as possible.

reminds me of some of my old ideas

[Nyph2]

Heh, in 2001 I had this exact idea as part of my concept for a theoretical modular virus. Most of the things I envisioned in that concept have since been picked up by malware producers (for example, modular virii, multi-system virii, rootkits in a virus either as the main payload or to reinstall the payload(or a diff payload) after the system has been cleaned to mention a few which have gone into use on some scale since I came up with my idea), but there were a few tricks my concept had that I've yet to hear about in the wild, so I wont go into any of those details for fear of giving anyone ideas. (I have never developed, nor do I ever intend to develop this concept into an actual program. I'm morally opposed to virii... I was just thinking of the things I would be afraid to see in virii, and how one would go about dealing with something using concepts like what I envisioned.)

It also reminds me of a sorta funny virus killer that was my precursor idea to the modular concept in 2000: a virus which uses the same 'sploit as a previous virus. The goal: download a removal package, the patch to the 'sploit you used to get in, and a package to temporarily host all of the packages. Once it does this, it simply removes the old virus, patches the system, and hosts the files for a breif period of time(prolly around a day, definately no longer than a week... could also judge how long to host it off frequency of requests for the info) to allow the virus to P2P the files rather than place the load on a central server. Could also disable the network adapter for a period of time in there if needed to make sure it doesnt get reinfected during the removal/patching phases.

I decided against ever building such a virus-chaser because it's near as bad as the original virus. It's illegal, it could cause network congestion, and while it intends to do good, it's pretty immoral to install stuff on a system & patch it without the users consent.

Still, a funny concept, similar in some ways to the malware this article discusses.

PS, I know the plural of virus is viruses. Virii is just fun to say tho.

Re:Sounds like ..

[Fred_A]

I don't believe there are any non extreme ways of getting rid of the damn thing. It has its little claws dug in deep and you have to bash it repeatedly on its ugly little head with a crowbar before it finally lets go (spewing gore everywhere).

I haven't had to uninstall it from friend's machines recently (so it might have gotten better, or worse) but I have fond memories of that thing. Reminded me of the headcrabs in HL2.

Re:Potential for good, and evil

[joe+155]

"Second it install anti-virus software that chews up computing resources with out doing anything useful."

I wouldn't say that. I must say that in principle I am against all software which you can't control and know the nature of, but if you've got infected by this then you may well have got infected by a whole host of other viruses - so this seems like a good thing.

Re:Potential for good, and evil

[joe+155]

Indeed, it isn't secure, and in fact it'll still be part of a bot net (as I understand it), but the point I was making was that this is likely to have happened anyway - these computers are already as "owned" as they are likely to get. So a trade off between being "owned" by someone who wants to steal your bank data, your passwords, and send out spam, or just being "owned" by someone who wants to do Denial of Service attakcs and send spam

If it's a choice i'll take the latter... Of course if there was an option which was open-source and didn't have it's own malware then maybe we'd really be on to a winner.

Re:cash cow

[westlake]

Could automakers make the million mile car that was super reliable, got good mileage, had decent power, and because of that, actually be cost effective for the consumer..? I bet they could, but there wouldn't be much incentive for them to remain in the car making business, as sales would dreop off severely eventually. The fixit shops would hate it. The oil companies would hate it. Stockholders would hate it.

Henry Ford thought he had the perfect car in the Model T and so it was in 1915.

But times change. The definition of perfection changes.

The electric starter means you don't have to be a young adult male in his physical prime to drive an automobile. Without risking a broken arm or cardiac arrest every time you crank her up.

Hard surfaced roads and reliable low presure tires means you can build for speed and comfort. Mass production means you can build an all-metal, all-weather, closed car, the four door sedan, and price it within reach of anyone with a middle class income.

Re:This is great!

[v1]

You would think the authors of the "botnet takeover" viruses would make them such that once they gained control of a computer, that they would do just this... patch the vulnerability that they used to get in in the first place, to prevent "compettion" on the owned system?

Great, get busted for having pirated software

[Yahma]

Why not protect your computer in the first place and not have to worry about spyware and viruses. If you are on a Windows machine and you are browsing warez or other "not so legit" sites, you better protect yourself. You would be advised to use an Anonymous Proxy to browse such sites, as you really don't want your IP address floating around in their logs when they get busted, do you?

Furthermore, a proxy such as the above would protect you from malicious scripts.

Re:This is great!

[Khabok]

How about a dedicated antivirus board? I'm on a Mac so I dunno, but everyone around me is constantly complaining about the CPU load for antivirus software.

Imagine, then, a cheap processor (an Intel embedded-grade unit, for instance, running about 100-150 mhz) connecting to a new slot on the motherboard that runs background virus scans while your HD(s) is(are) idle. Got sensitive data or a long vulnerability list? Drop fifty, hundred bucks and upgrade the card.

CPU load isn't the only reason for this either. Vista is trying to kill off antivirus software, remember? This could be a chance for hardware manufacturers to get McAfee, Norton, Symantec, and all them good ol' boys right back into the ball-game.

Dell? Are you listening? ...Beuller?

P2P?

Someone needs to create a trojan that downloads the non-graphical core of a p2p filesharing client, and starts downloading and re-sharing a few popular songs.

It would be a very interesting test of the law.

Re:This is great!

[CastrTroy]

I don't think that most of the slowdown with antiviral software comes from the processor usage, but rather from it having to read every file you try to access before you access it. My NAV at work was set up to scan every single file every single time it was opened. That's a major resource hog. Espcially since things like txt or XML files (which can get large) have 0 chance of maintaining viruses. A smart virus scanner may just do an md5 sum of the file, and then it it hasn't changed, then don't bother scanning. Although I don't know if that would be any faster. Myself, I use Linux at home, so I don't worry so much about virus scanners.

Re:This is great!

[CastrTroy]

This makes me wonder if you could make money by remotely managing somebody's computer for them. Install all the updates, make sure everything runs smoothly, clean off the malware and viruses. You could probably get the system automated. I know a lot of people who's computers are always taken over by viruses, or they just end up installing stuff that they use once and never again (I don't know why windows develops problems when you install too many programs, my Linux box has hundreds of programs installed, and doesn't slow down a bit. Anyway, I think there's a lot of people who'd be willing to pay a monthly subscription fee if you kept their coomputer running fast and organized. With all the required updates and stuff. I think Dell could offer something like this to their customers. Although they probably make more money when they buy a new computer every year when their old one gets slow.

Re:volvos/a link addition

[zogger]

Here's a link of an example, over 2 million miles with a valve replacement when they stopped selling leaded gas

http://www.theautochannel.com/news/2004/08/26/2136 34.html

because AVG does NOT work better

[Phil+Urich]

in my experience, Kaspersky Labs works almost amazingly better against viruses; at least, it has easily fixed computers where AVG couldn't even see a problem. I'm sorry, I know it'd be great to be all "yay AVG!" since it's free, but I've begrudgingly grown to respect Kaspersky. Of course, it's much much better than Norton as well, but that's pretty much for granted.

(Reminds me of a funny story, though. My friend's computer was acting up, in some very odd and rather annoying ways. I tsk-tsked him, implying that he probably caught himself some kind of infection. He went "no, no, this legit copy of Norton I have would have seen it." I took his hard drive out, threw it in my machine, and Kaspersky Labs immediately started deleting. Once the massive infection (mainly of worms) was gone, we put it back in his box, and his Win2k install ran with significantly less hassle; all those mysterious problems were gone, howabout that. Norton, thoughout all of this, just smiled into space like an idiot. And don't get me started on McAfee!)

Kasperksy is also quite configurable for ignoring certain files, and has a rather robust system for doing so; I find it handy myself, considering that I have quite a few programs that have the kinds of engines in them that might be detected heuristically by Kaspersky as being virus-y, for lack of a better term (for example, the smtp engine in anonymail is the kind of setup that a worm might use for using a computer to randomly mail copies of itself around). So if this piece of kinda-mal-ware is to survive its own medicine, that sort of functionality is rather useful (I haven't used AVG for about a year now, but when I last used it I remembered a lack of that kind of breadth of deliberate "leave such-and-such alone).

You're right though, that adding copyright infringement ontop of this is a bit of an issue, but under the circumstances it's an issue of contempt for the end-user anyways. Not saying whether that's justified or not, just that it's deliberately out of the control of whomever owns the infected computer, so it's not like *they'd* be liable anyways . . .

Actually, hey, maybe the creator really likes AVG and doesn't want to give it bad press? There's quite a few possible reasons for this choice, thinking about it.