Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trojan Installs Anti-Virus, Removes Other Malware

Posted by ryuzaki0 on from the clever-little-monkey dept.

An anonymous reader writes "SpamThru takes the game to a new level. The new virus uses an anti-virus engine to remove potential 'rival' infectious code." From the article: "At start-up, the Trojan requests and loads a DLL from the author's command-and-control server. This then downloads a pirated copy of Kaspersky AntiVirus for WinGate into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL to avoid having Kaspersky refuse to run due to an invalid or expired license, Stewart said. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation."

38 of 202 comments (clear)

  1. Hmm.. by Anonymous Coward · · Score: 4, Funny

    It sounds a little too intelligent to have been designed by humans.

    Cyclons? I hear they are hot!

    1. Re:Hmm.. by Aladrin · · Score: 5, Funny

      Cylons, I think you mean. And yeah, there's 2 or 3 that are pretty awesome. Nothing like having sextuplets for... well, sex.

      But I do agree that this guy is either extremely forward thinking, or a madman. His own virus could prevent any further viruses he writes... That's... Stupid. :D

      I was immediately outraged at the illegal install of software, but then I remembered the virus itself was illegal anyhow, so it didn't much matter. It's like murdering everyone in a church on Sunday, and then spraypainting graffiti on the walls. Somehow, it's just not that much worse.

      --
      "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
    2. Re:Hmm.. by Dunbal · · Score: 4, Funny

      It's like murdering everyone in a church on Sunday, and then spraypainting graffiti on the walls.

            Why spraypaint when you can use all the blood - it just look so much cooler, uh, wait...

      --
      Seven puppies were harmed during the making of this post.
  2. Potential for good, and evil by Anonymous Coward · · Score: 5, Funny
    Wake me up when it also installs linux.

    1. Re:Potential for good, and evil by joe+155 · · Score: 4, Interesting

      "Second it install anti-virus software that chews up computing resources with out doing anything useful."

      I wouldn't say that. I must say that in principle I am against all software which you can't control and know the nature of, but if you've got infected by this then you may well have got infected by a whole host of other viruses - so this seems like a good thing.

      --
      *''I can't believe it's not a hyperlink.''
    2. Re:Potential for good, and evil by Jessta · · Score: 4, Insightful

      Removing other malicious software doesn't make the machine at all secure. It just eventually frees up computing resources to the malicious software controller has a more efficient botnet.

      --
      ...and that is all I have to say about that.
      http://jessta.id.au
    3. Re:Potential for good, and evil by SmurfButcher+Bob · · Score: 5, Funny

      > Second it install anti-virus software that chews up computing resources with out doing anything useful.

      If *that* were true, it would have installed NAV.

      *cough*

      --

      help me i've cloned myself and can't remember which one I am

    4. Re:Potential for good, and evil by ArwynH · · Score: 4, Informative

      Copyright Infringement Alarm!!!

      A bit amusing in the context, but let's be fair here, when you post someone elses work, please give them credit!

      This is RMS's 'Right to Read'. It is copyrighted under a very free license. All you have to do is give credit to the writer. That is something most people do without thinking, because it is the Right Thing to Do.

      Anyway, in case the AC gets modded into copyright infringement hell, the orignal text, aswell as some updated comments are available here. It's an interesting read.

  3. A wise move by Andy_R · · Score: 5, Insightful

    Any system that is badly protected enough to get infected is probably already bogging down and in danger of the user getting it fixed. This is probably a very good strategy to improve the usefulness of the machine to the hijacker, and reduce the chances of the user doing anything about the infection. I'm surprised this hasn't happened before.

    --
    A pizza of radius z and thickness a has a volume of pi z z a
    1. Re:A wise move by Pharmboy · · Score: 5, Interesting

      Actually, I am waiting for the BSA to come in and sue the people whose machines were "infected" with this pirated version of Kaspersky AV software. The BSA poses a greater threat than the spywear that was removed.

      User: "I didn't install it! I swear!"
      BSA: "Yea right, it just installed itself...."

      --
      Tequila: It's not just for breakfast anymore!
    2. Re:A wise move by jbourj · · Score: 5, Funny

      I can just see the rival spyware companies' lawsuit: "the users were never promted and asked if they wanted our product removed."

  4. Coming up next... by Kjella · · Score: 5, Interesting

    ...plenty other crapware removing that virus. Seeing how much of that crap can coexist on one machine, I imagine these people will be forced back in line. And I don't think anything like a "civil war" fought on user's computers will be good for the users either.

    --
    Live today, because you never know what tomorrow brings
  5. Re:This is great! by Mikya · · Score: 5, Funny

    Hopefully we will see a new "virus" war, hasn't it been quite a while since the last one?

    There's a reason for all those extra cores in the upcoming processors. :)

  6. Re:This is great! by UPi · · Score: 5, Interesting

    I was wondering how long before this actually happened. Back when my web server was under a barrage of malformed requests from infected IIS installations, I had the urge to create a script which would retaliate with exploiting, gaining access and patching the zombified computer... or at least, shut it down.

    While I never actually did this, mostly due to lack of time and for fear of possible lawsuit, it was certainly possible. So now it's a reality, thanks to... whoever. I think it's a Good Thing.

  7. A Trojan that Installs Anti-Virus & removes ot by Anonymous Coward · · Score: 5, Funny

    Malware is commonly known as the Norton Antivirus installer. ;)

  8. Sounds good! by 1.000.000 · · Score: 5, Funny

    Where can i get this trojan?

    --
    This is a viral signature. You are now infected!
  9. Darwin, Schmarwin by CheeseburgerBrown · · Score: 5, Funny

    I know before too long they'll be some long and nearly interesting thread about the Darwinian loveliness manifest in this virus' competitive adaptation, but I think it instead provides a firm basis to identify the handiwork of Intelligent Design.

    In other words, God spams.

    He Is That He Is has simply moved on from meat-based proselytizing and entered the so-called Cyber Age, as was foreseen in Deuteronomy 4:20, Revelations 1:1415, and Glossary 36:D.

    --
    These stories are free but worth money.
  10. Great Idea! by CalSolt · · Score: 5, Funny

    I'm just waiting for Microsoft to release a virus that'll force everyone to run Automatic Update. Think of how many problems it would solve!

  11. This is really bad actually by majortom1981 · · Score: 4, Insightful

    Why is evertybody saying this is a good thing.This could be very bad. A virus or any malware that disguises itself as an antivirus would not be detected by anti virus programs. ITs actually very clever. Your machine would be infected and you might not even know it. Especially if you normally run kapersky.

  12. Other information about this... by Admin_Jason · · Score: 5, Informative

    Naturally, this is a Windows specific little bugger. So, if you're running anything else, you should be okay. (Of course, the systems that us /.ers support are another story...) Sophos is the only vendor of the few big boys I searched that seems to have any info on this mal-ware with the "SpamThru" name. Of course, there are other variant names of this, so check with your vendor against these other possible iteratives:

    * Backdoor.Win32.Agent.uu
    * Spam-DComServ
    * TROJ_AGENT.BOR

    Removal instructions can also be found here

    --
    Just another nameless binary in a crowd of 1's and 0's
  13. Er.... by spasticfraggle · · Score: 5, Funny

    2? Those bloody integers, eh?

    1. Re:Er.... by davecrist · · Score: 5, Funny

      I'd say 2 was the prime suspect, at least... 8)

  14. Re:This is great! by raduf · · Score: 4, Insightful

    How long will it be before somebody lobotomizes this to just install the anti-virus? Could be a new age in the spam wars...

  15. Says a lot about Kaspersky... by Arkan · · Score: 5, Interesting

    ... if virus authors are confident enough to use it as a mean to eradicate competition! This guy put enough faith in this AV to use it as defense on a compromised system. It kind of implicitly confess that, would the machine have been protected by Kaspersky, it couln't have been compromised.

    Obligatory conspiracy theory: could it be a publicity stunt from Kaspersky themselves? Naaah, I'm certainly too paranoïd.

    --
    Arkan, who don't care anyway, as long as you can't patch DLL in-memory... on GNU/Linux

  16. Link to the actual research by httptech · · Score: 4, Informative

    http://www.secureworks.com/analysis/spamthru/

  17. Mobsters do the same by Britz · · Score: 5, Insightful

    When the mob kills people it is usually a rival gang. They want to be the only people milking their territory for good reasons.

  18. Re:This is great! by iMouse · · Score: 4, Funny

    Wait! I have the answer! Just install WinAntiVirus and WinAntiSpyware Pro 2006! It'll download the Trojan, you pay your $24 or whatever, and it all disappears!

    Wait...what's that "annoying as hell" flashing icon in my taskbar for...?

  19. Art imitates life by digitalhermit · · Score: 5, Interesting

    In biology, we hear that it's generally not good to regularly use some types of anti-bacterial cleansers. After awhile they start wiping out the good or innocuos types, leading to proliferation of the undesirable types. My lawn guy says the same thing about some types of weeds; apparently they keep other, larger and hardier weeds from getting a stronghold. It's funny that in the future this may be how viruses are combated in electronic devices.

  20. cash cow by zogger · · Score: 5, Insightful

    Now you see why windows remains the dominant desktop. It is because by its very nature it is a tremendous cash cow, going up and down and sideways across the IT food chain. Very, very few people are altruistic enough to work as hard as they can to put themselves out of business, especially once the work involved becomes more or less easy and routine.

    Human nature, you can see it at work in a number of areas, take governments for example. It would be quite possible for governments to work towards fine tuning laws and processes to the point that they are clearly understood, as universally fair as possible, and requiring the least bit of constant interferring-they would have to fire themselves, voluntarily withdraw. It doesn't and won't happen though. Bad car analogy. Could automakers make the million mile car that was super reliable, got good mileage, had decent power, and because of that, actually be cost effective for the consumer in the long run? I bet they could, but there wouldn't be much incentive for them to remain in the car making business, as sales would dreop off severely eventually. The fixit shops would hate it. The oil companies would hate it. Stockholders would hate it.

    And so on. You are trying to balance consumer desires with business desires for repeat sales and increasing sales and peripheral sales, in an economic system that values and rewards that over even just a maintainance of the status quo mode. So it obviously doesn't happen... not much anyway.

  21. Re:Buy a Apple MacIntosh by Ginger+Unicorn · · Score: 5, Insightful

    well i run linux, and i dont find this funny at all. windows botnets are a fucking nuisance to EVERYONE. Running mac os x or linux wont stop you receiving spam emails, or stop a website you need to use being DDOSed.

    --
    (1.21 gigawatts) / (88 miles per hour) = 30 757 874 newtons
  22. Re:This is great! by risk+one · · Score: 5, Insightful

    I think that in the blaster days there was a copycat worm that downloaded the microsoft anti-blaster patch and installed it (in fact I know there was, because I got 'hit' with it).

    It's a nice way to fight zombies, and it might go some way to doing what legal/conventional means have failed to do by using the same viral nature of the original malware to clean the internet up. (While still trying to copy itself from cleaned pc's). The only problem with this is (besides the ethical bit about fighting fire with fire, which I don't really care about) is that the users won't know about it.

    Getting infected to the point of having to have somebody clean your system up and install ativirus/firewall/antispyware and a safe browser and email client is a learning experience about how dangerous the internet is these days. If people have their system cleaned up without realizing it, the system may be clean but the people are none the wiser. The best thing, I think would be to install free (as in beer) software, hiding it just until all scans are done and the system has been cleaned and protected, and then, informing the user in some clear way what has happened and what they can do about preventing it in the future, and that they should probably get their system checked out by a human. It would have to do so in some way that doesn't get mistaken for a web-ad, like replacing the wallpaper with the message.

    The problem with this scheme of course is that once they get their machine cleaned out the machine won't be spreading the worm anymore and it will lose out to other worms that have the luxury of staying completely still. Maybe if you let the worm hide for two weeks, and then inform the user...

  23. Re:Sounds like .. by Orgazmus · · Score: 4, Funny

    Please dont use Peter Norton's name in connection with Symantec's Anti-CPU Suite. Thank you

    --
    The system had the verbosity of HTML combined with all the readability of compiled assembly viewed as bitmap images
  24. Re:This is great! by StarfishOne · · Score: 5, Funny

    Graphical Processing Unit, Physics Processing Unit,... Virus Processing Unit? :)

    It should be noted though, that a "Virus Accelerator Board" is not a very good name from a marketing perspective! :P

  25. Re:This is great! by scottv67 · · Score: 5, Informative

    I think that in the blaster days there was a copycat worm that downloaded the microsoft anti-blaster patch and installed it...

    That would be Welchia:
    http://www.symantec.com/security_response/writeup. jsp?docid=2003-081815-2308-99

    ...(in fact I know there was, because I got 'hit' with it).

    The only bad thing about Welchia (aside from it installing patches on your system without your permission) was that it did not throttle its traffic when it came to looking for new machines to patch. It flooded or swamped network segments as it probed new machines to work on. If Welchia had been a little more subtle with its scanning, Welchia's presence would have been less of an issue.

  26. Re:This is great! by joe+155 · · Score: 4, Informative

    "Maybe I should at least check for rootkits"

    You seem to say that as a joke, but I will answer seriously - you should. Just because you use Linux doesn't mean that you won't get rootkit'd... I'm not sure about Kubuntu, but with fedora it comes as a default with SSH runing and allowing root login - if you don't stop that /var/log/secure quickly gets longer than your arm and sooner or later someone will be in... and the rootkits are never far behind.

    You should put something like RKhunter on a clean install ideally so you can keep a check on whats going on. Also chkrootkit is quite good, although I find it a lot harder to read.

    --
    *''I can't believe it's not a hyperlink.''
  27. Re:This is great! by Ruff_ilb · · Score: 4, Funny

    Viral marketing?

    --
    http://www.TheGamerNation.com/Forums
  28. What would be the requirements for an anti-worm? by khasim · · Score: 4, Insightful

    I like the idea of dis-infecting a machine that was trying to infect your machine.

    Would it also be advantageous to have the now worm-free machine to also perform that function?

    If "yes" would you want to be especially helpful and place a removal icon in the "Add/Remove Programs" section so that that functionality could be removed?

    If "no", why not? Other than the bit about installing software on someone else's machine?

    I would NOT want the anti-worm to probe the network. This sounds good in theory, but in practice, any amount of scanning will become a problem as the number of machines doing the scanning increases. Sure, they only consume 0.1% of your bandwidth today. But when there are 10x more machines, 100x more machines, etc.

    Any suggestions?

  29. The last guy to try this is in jail by Animats · · Score: 4, Informative
    but this guy is just too good. Not likely he'd have made a mistake.

    Let's take a look at the career of last year's big pump-and-dump spammer:

    "Computer Virus Broker Arrested for Selling Armies of Infected Computers to Hackers and Spammers

    "Pump-and-dump spam domains go silent after botnet closure"

    Spammers register pump-and-dump spam domains for use in spam runs. These domains are commonly discarded after a few days. The tactic is commonplace but the the arrest of alleged botmaster Jeanson James Ancheta, 20, of Downey, California, on 3 November has been accompanied by a radical shift in the landscape. "Up to recently, the graphs were all fairly smooth, with the stats showing that 12 days was about the maximum lifetime for this type of domain, while 30 per cent only lasted a day or under, and 10 per cent only lasted three hours or under," Shipp said. "This kind of activity just disappeared completely from the radar on 2 November."

    Following up:

    "Botnet Creator Pleads Guilty, Faces 25 Years"

    Federal Bureau of Prisons Inmate Locator

    • Name: JEANSON JAMES ANCHETA
    • Inmate number: 32392-112
    • Age: 21
    • Race: Asian
    • Sex: M
    • Projected release date: 12-25-2009
    • Location: CALIFORNIA CITY CORRECTIONAL INSTITUTION

    California City Prison: "This medium security desert prison opened in 2000, and is a stunning sight, either by day when its monolithic forms stand out on the desert pavement like ancient Egyptian architecture, or by night when floodlights bathe the gleaming facility in an orange glow which can be seen from as much as 30 miles away."

    Next spammer, please.