Slashdot Mirror

← Back to Stories (view on slashdot.org)

When Malware Attacks Malware

Posted by kdawson on from the internecine dept.

PetManimal writes "Researchers say that the Storm Trojan/Peacomm worm has been tweaked to spread via IM programs and attack rival malware. Symantec sounded the alarm, and says that the exploit launches in AOL, Google Talk, and Yahoo Messenger windows that are already open, making it appear to be a legitimate message from a known user. The worm has modified the code from last year's Nuwar worm, and when activated, enables a DDoS attack against any site, including antispam services and servers supporting rival malware: 'Systems hijacked by Peacomm have also conducted DDoS attacks against at least five domains used by the creators of the noted Warezov (or Stration) worm. After a busy September and October, Warezov was credited by some analysts as the genesis of 2006's massive fourth-quarter spike in spam volume.'"

10 of 135 comments (clear)

  1. Stronger malware by eviloverlordx · · Score: 5, Insightful

    It just means that, in a few years, all of the malware will be significantly harder to kill. All of the weaker 'species' will have been driven to extinction (via changes in coding). It had to happen eventually. We may even see 'anti-viral resistant' strains.

    --
    'Loose' is when your pants are three sizes too big. 'Lose' is when you misuse 'loose'.
    1. Re:Stronger malware by morgan_greywolf · · Score: 5, Funny

      No way. Malware is made by an Intelligent Creator. It is what it is. Intelligent Malware Design is just as good a theory as Malware Evolution.

      --
      My blog
  2. A New Variation of Life... by __aaclcg7560 · · Score: 5, Funny

    So is there going to be a screen saver that will show the good and bad malware attacking each other as the computer keeps waving a white flag?

  3. Old News by 140Mandak262Jamuna · · Score: 4, Funny

    The well known malware Internet Explorer has been attacking another well known malware WinXP for quite sometime. So why get worked about these obscure ones?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  4. It begins by inviolet · · Score: 4, Interesting

    esearchers say that the Storm Trojan/Peacomm worm has been tweaked to spread via IM programs and attack rival malware.

    Thus begins the ecology of internet software. CPU cycles are simply too valuable (en masse) for one piece of malware to share with others.

    Eventually, look for malware to get better and better and rooting out rival malware in order to take its place. As well, look for malware to be more cautious about consuming host resources, lest it get noticed by a user or antivirus package.

    It's no different than Earthly biology. We think nothing of the colossal number of parasitic microorganisms currently hitching a ride on our metabolism. Some like E. coli are so useful that we even enthusiastically encourage (Yoplait anyone?). Symbiosis carries major advantages along the lines of "division of labor". How many years before real symbiosis is realized among internet-connected computers?

    It would also evolve the antivirus landscape. The "OMG sterilize all machines!!!1!" mantra would change into a more relaxed problem: calculate the most efficient amount of CPU cycles to allocate among the competing tasks of:

    • detect malware through behavior analysis (the current cutting edge)
    • detect malware through recognition scanning (the tried and true way)
    • tolerate malware as long as it doesn't eat up too much CPU

    That's how our bodies do it, anyway.

    --
    FATMOUSE + YOU = FATMOUSE
  5. ... doing what? by Savage-Rabbit · · Score: 4, Funny

    And the Dept of Homeland security is doing what? exactly! Trying to figure out who to bomb?
    --
    Only to idiots, are orders laws.
    -- Henning von Tresckow
  6. If they'd just fix each other... by queenb**ch · · Score: 5, Funny

    Will someone please write a worm that 1) turns Windows Update on, 2) turns the Windows Firewall on, 3) turns off the keyboard & mouse ports for Windows 3.1, 95, 98, and ME machines thus forcing the retarded end users running on these platforms to upgrade, 4) installs ClamWIN and scans the hard drive, 5) installs SpyBot Search & Destroy and scans the hard drive, and 6) administers an electric shock to the aforementioned retarded end user for not taking care of this themselves?

    If your dog was running around the neighborhood barking at people and biting them, they'd make you do something about the dog. I don't see why your computer gets to the do the same thing on the internet with such impunity.

    2 cents,

    QueenB.

    --
    HDGary secures my bank :/
    1. Re:If they'd just fix each other... by Tony+Hoyle · · Score: 4, Informative

      I wouldn't use Spybot - it's getting kinda out of date now, and doesn't detect some of the worst ones. I've *never* seen Windows Defender successfully detect a spyware infestation - it's 100% useless.

      I recently had to fix a machine that was declared 100% clean by Spybot, Hijackthis, Windows Defender, etc. - and still kept throwing up random porn popups*. Turns out it was a virtumundo variant... the checker (forget the name) recommended by the hijackthis people could see it, but wanted money to remove it - eventually found an app that does it by doing some clever stuff and forces a bluescreen to stop it reinstalling itself (which it does in realtime.. you *can't* delete it manually). That's now in my machine fixing arsenal for the next time I see it.

      Makes me wonder how many of the bleats that 'my machine is clean therefore it must be blizzard being hacked' posts on the Wow forums have variants of similar crapware on there.. and they've fallen into the trap of believing the scanners despite the overwhelming evidence to the contrary.

      * And that was a machine without IE on it and fully patched.. the thing apparently got on in a trojanned version of Acrobat Reader.

    2. Re:If they'd just fix each other... by kabocox · · Score: 5, Informative

      I've found somethings that you asked for, but not all. I did don't know how to string them all together. ClamWin, and SpyBot, both say that they'll run from a bootCD. I didn't find any easy to follow admin install instructions for them. Mainly everything else is some reg files. I didn't find anything on keyboard or mouse ports of earlier versions of windows. I also didn't find anything about how to shock users. In the spirit of open sourceness, I expect someone else to actually do the real work of building a self installing zip file of ClamWin & Spybot, setting your fav. reg. settings, and having all of them autorun after a shutdown -r. I know that "it should possible." I don't know enough windows scripting in order to do it.

      net stop wuauserv

      Start -> Run -> gpedit.msc -> Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update -> Re-prompt for restart with scheduled installations. They hid it well but it's there :^)

      [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate\AU]
      "RebootRelaunchTimeoutEnabled"=dword:00000000
      "NoAutoRebootWithLoggedOnUsers"=dword:00000001

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer
      NoDevMgrUpdate value to 0

      HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ WindowsFirewall

      Set these to "not configured"
      * Windows Firewall: Protect all network connections
      * Windows Firewall: Do not allow exceptions
      * Windows Firewall: Define program exceptions
      * Windows Firewall: Allow local program exceptions
      * Windows Firewall: Allow remote administration exception
      * Windows Firewall: Allow file and printer sharing exception
      * Windows Firewall: Allow ICMP exceptions
      * Windows Firewall: Allow Remote Desktop exception
      * Windows Firewall: Allow UPnP framework exception
      * Windows Firewall: Prohibit notifications
      * Windows Firewall: Allow logging
      * Windows Firewall: Prohibit unicast response to multicast or broadcast requests
      * Windows Firewall: Define port exceptions
      * Windows Firewall: Allow local port exceptions

      http://sourceforge.net/docman/display_doc.php?doci d=28367&group_id=105508

      Preparation

      Start by installing the latest version of ClamWin, and download the latest virus definitions. See the ClamWin manual for full details on how to do this. Note that, if you are going to create a CD, you will not be able to update the virus definitions without creating a new CD, since a CD is read-only.
      Copy Folders

      Create a working folder in a convenient location to hold the files that are to be copied onto CD/USB, eg C:\ClamWin-CD.
      In the working folder, create a folder named ClamWin.
      Copy the contents of the ClamWin program folder into C:\ClamWin-CD\ClamWin. By default, the ClamWin program folder is installed to C:\Program Files\ClamWin
      Create folders named log, db and quara

  7. hasn't... by Anonymous Coward · · Score: 4, Funny

    Hasn't norton a/v been doing exactly this for years? Malware, fighting malware? :)