Forgot your password?
typodupeerror

Trojan Installs Anti-Virus, Removes Other Malware 202

Posted by Zonk
from the clever-little-monkey dept.
An anonymous reader writes "SpamThru takes the game to a new level. The new virus uses an anti-virus engine to remove potential 'rival' infectious code." From the article: "At start-up, the Trojan requests and loads a DLL from the author's command-and-control server. This then downloads a pirated copy of Kaspersky AntiVirus for WinGate into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL to avoid having Kaspersky refuse to run due to an invalid or expired license, Stewart said. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation."
This discussion has been archived. No new comments can be posted.

Trojan Installs Anti-Virus, Removes Other Malware

Comments Filter:
  • Hmm.. (Score:4, Funny)

    by Anonymous Coward on Saturday October 21, 2006 @07:27AM (#16527245)
    It sounds a little too intelligent to have been designed by humans.

    Cyclons? I hear they are hot!
    • Re:Hmm.. (Score:5, Funny)

      by Aladrin (926209) on Saturday October 21, 2006 @07:34AM (#16527281)
      Cylons, I think you mean. And yeah, there's 2 or 3 that are pretty awesome. Nothing like having sextuplets for... well, sex.

      But I do agree that this guy is either extremely forward thinking, or a madman. His own virus could prevent any further viruses he writes... That's... Stupid. :D

      I was immediately outraged at the illegal install of software, but then I remembered the virus itself was illegal anyhow, so it didn't much matter. It's like murdering everyone in a church on Sunday, and then spraypainting graffiti on the walls. Somehow, it's just not that much worse.
      • Re:Hmm.. (Score:5, Funny)

        by Dunbal (464142) on Saturday October 21, 2006 @09:00AM (#16527613)
        It's like murdering everyone in a church on Sunday, and then spraypainting graffiti on the walls.

              Why spraypaint when you can use all the blood - it just look so much cooler, uh, wait...
      • Depending on his method of detecting/ignoring his own virus; if done right, he could be looking for a signature that his future virii share.
      • Legalities (Score:4, Informative)

        by Ungrounded Lightning (62228) on Saturday October 21, 2006 @02:37PM (#16529847) Journal
        I was immediately outraged at the illegal install of software, but then I remembered the virus itself was illegal anyhow, ...

        I wonder, though, if a retaliatory disinfector, or even a "beneficial nematode", would be legal?

        This would be a server that not only detects and blocks worm infection attempts, but responds (using one of the vulnerabilities exploited by the original malware or one it installs - which are known to exist due to the malware's presence) by disabling the malware in the attacking computer, and perhaps patching the vulnerabilities exploited by the malware and/or (in the "beneficial nematode" case) copying itself to it. The former attacker is now no longer attacking, is protected from reinfection by the secondary infection, and perhaps becomes another source of counter-attacks.

        Since it only counter-attacked, and even a passively-blocked attack without a counter-attack consumes resources (amounting to a DoS if sufficiently large and persistent), it could be argued that the counter-infection falls under the same principle as the use of force in self-defence. Or perhaps a "necessity defence" could be argued.

        Of course one would have to be especially careful when designing such a self-reproducing tool. A significant issue would be accidental escape into the wild of a buggy version early in the development. Timeouts or "hayflick limit" reproduction counters seem advisable. And building them on pirated antiviral tools would be out of the question.

        IANAL. Does anybody out there have a more informed opinion?
    • The Cylons were created by Man
      They rebelled
      They evolved
      There are many copies
      And they have a plan
  • by Anonymous Coward on Saturday October 21, 2006 @07:28AM (#16527255)
    Wake me up when it also installs linux.

    • by Jessta (666101)
      Pretty much evil. First it's malicious software that allows a remote user to command your machine. Second it install anti-virus software that chews up computing resources with out doing anything useful.
      • by joe 155 (937621) on Saturday October 21, 2006 @10:33AM (#16528071) Journal
        "Second it install anti-virus software that chews up computing resources with out doing anything useful."

        I wouldn't say that. I must say that in principle I am against all software which you can't control and know the nature of, but if you've got infected by this then you may well have got infected by a whole host of other viruses - so this seems like a good thing.
        • by Jessta (666101) on Saturday October 21, 2006 @10:49AM (#16528151) Homepage
          Removing other malicious software doesn't make the machine at all secure. It just eventually frees up computing resources to the malicious software controller has a more efficient botnet.
          • by joe 155 (937621) on Saturday October 21, 2006 @10:57AM (#16528197) Journal
            Indeed, it isn't secure, and in fact it'll still be part of a bot net (as I understand it), but the point I was making was that this is likely to have happened anyway - these computers are already as "owned" as they are likely to get. So a trade off between being "owned" by someone who wants to steal your bank data, your passwords, and send out spam, or just being "owned" by someone who wants to do Denial of Service attakcs and send spam

            If it's a choice i'll take the latter... Of course if there was an option which was open-source and didn't have it's own malware then maybe we'd really be on to a winner.
          • Re: (Score:3, Insightful)

            by gad_zuki! (70830)
            >It just eventually frees up computing resources to the malicious software controller has a more efficient botnet.

            Give the man a cigar. This is exactly like parasites which strengthen their host.
            • Re: (Score:3, Insightful)

              by inviolet (797804)

              Give the man a cigar. This is exactly like parasites which strengthen their host.

              Perhaps this is the future of the internet? A competition among virus authors to keep their host machines clean of competing viruses?

              Considering what an unbelievable resource hog my antivirus software is, in the future I might actually do better to let my machine get infected and rely on the infection to symbiotically keep everything else off.

              It's the merger of computation and biology. And it might be more efficient than p

        • Re: (Score:3, Informative)

          by DestinyBWL (169332)
          It "seems" like a good thing, but there are three major reasons why it isn't:

          A) It does so without you being aware.
          B) It illegally installs software that you do not have a license for.
          C) Most modern viruses and trojans are so complex that the only way to remove them is by disabling system restore and running thorough scans in safe mode and/or boot time scans.

          So not only do you have no control over it and become an "unexpected software pirate", but you likely don't even get rid of the other trojans/viruses o
      • by SmurfButcher Bob (313810) on Saturday October 21, 2006 @11:34AM (#16528415) Journal
        > Second it install anti-virus software that chews up computing resources with out doing anything useful.

        If *that* were true, it would have installed NAV.

        *cough*
  • A wise move (Score:5, Insightful)

    by Andy_R (114137) on Saturday October 21, 2006 @07:36AM (#16527289) Homepage Journal
    Any system that is badly protected enough to get infected is probably already bogging down and in danger of the user getting it fixed. This is probably a very good strategy to improve the usefulness of the machine to the hijacker, and reduce the chances of the user doing anything about the infection. I'm surprised this hasn't happened before.
    • Re:A wise move (Score:5, Interesting)

      by Pharmboy (216950) on Saturday October 21, 2006 @07:47AM (#16527337) Journal
      Actually, I am waiting for the BSA to come in and sue the people whose machines were "infected" with this pirated version of Kaspersky AV software. The BSA poses a greater threat than the spywear that was removed.

      User: "I didn't install it! I swear!"
      BSA: "Yea right, it just installed itself...."
  • Coming up next... (Score:5, Interesting)

    by Kjella (173770) on Saturday October 21, 2006 @07:36AM (#16527295) Homepage
    ...plenty other crapware removing that virus. Seeing how much of that crap can coexist on one machine, I imagine these people will be forced back in line. And I don't think anything like a "civil war" fought on user's computers will be good for the users either.
    • Fuck all of em. Just "Nuke and Pave" (format and reinstall). It's the only way to win a cyber civil war...and be sure of it.

  • by MavEtJu (241979) <slashdotNO@SPAMmavetju.org> on Saturday October 21, 2006 @07:39AM (#16527309) Homepage
    During his analysis, Stewart found that SpamThru was being used to operate a spam-based pump-and-dump stock scheme.

    Add one and one together, and you know who the operator of the botnet is.
  • by Anonymous Coward on Saturday October 21, 2006 @07:42AM (#16527321)
    Malware is commonly known as the Norton Antivirus installer. ;)
  • by 1.000.000 (876272) on Saturday October 21, 2006 @07:44AM (#16527325)
    Where can i get this trojan?
  • by CheeseburgerBrown (553703) on Saturday October 21, 2006 @07:47AM (#16527339) Homepage Journal
    I know before too long they'll be some long and nearly interesting thread about the Darwinian loveliness manifest in this virus' competitive adaptation, but I think it instead provides a firm basis to identify the handiwork of Intelligent Design.

    In other words, God spams.

    He Is That He Is has simply moved on from meat-based proselytizing and entered the so-called Cyber Age, as was foreseen in Deuteronomy 4:20, Revelations 1:1415, and Glossary 36:D.

    • Of course, people who use the Darwin kernel will continue to be smug claiming that the virus could never affect them.
  • Great Idea! (Score:5, Funny)

    by CalSolt (999365) on Saturday October 21, 2006 @08:00AM (#16527379)
    I'm just waiting for Microsoft to release a virus that'll force everyone to run Automatic Update. Think of how many problems it would solve!
  • by majortom1981 (949402) on Saturday October 21, 2006 @08:10AM (#16527413)
    Why is evertybody saying this is a good thing.This could be very bad. A virus or any malware that disguises itself as an antivirus would not be detected by anti virus programs. ITs actually very clever. Your machine would be infected and you might not even know it. Especially if you normally run kapersky.
    • Re: (Score:2, Insightful)

      by badpazzword (991691)
      A virus or any malware that disguises itself as an antivirus would not be detected by anti virus programs.
      Good antivirus programs scans whatever you tell it to. If you tell them to ignore executables or use some sort of whitelisting, then we have a "User error. Replace the user and press any key to continue."
    • Why is everybody saying this is a good thing.

      It's a fair question.

      Software that installs without the user's knowledge or consent is by definition malware.

      Microsoft asks users to temporarily disable AV when installing IE7 because the installer makes complex changes to the Registry. The install can be trashed by something as simple as an out-of-date signature file.

      Trouble shooting conflicts with AV software can be a nightmare for non-technical end users and Kaspersky is no exception: Kapersky Lab Forums [kaspersky.com]

  • by Admin_Jason (1004461) on Saturday October 21, 2006 @08:16AM (#16527451) Homepage
    Naturally, this is a Windows specific little bugger. So, if you're running anything else, you should be okay. (Of course, the systems that us /.ers support are another story...) Sophos is the only vendor of the few big boys I searched that seems to have any info on this mal-ware with the "SpamThru" name. Of course, there are other variant names of this, so check with your vendor against these other possible iteratives:

    * Backdoor.Win32.Agent.uu
    * Spam-DComServ
    * TROJ_AGENT.BOR

    Removal instructions can also be found here [sophos.com]
  • by macaroo (847109) on Saturday October 21, 2006 @08:17AM (#16527461)
    I sit here a happily run OSX 10.4.8 on my G4 powered Mac and laugh at the electronics and software Wars taking place in the MS World. I clean WIndows machines for a living an are not surprised at this development. Most machines can take a little malware infection, but are maintained when the owner can't boot anymore or the machine slows to a crawl.
    • Re: (Score:2, Interesting)

      by Admin_Jason (1004461)
      Of course your Mac is safe, the OP article spoke to the Windows-specific nature of the trojan. Keep talking up the Mac though. More and more people are moving toward it, and I could see a day where trojans, ad-wares, spywares, and virus-writers start seeing the merit of engineering their wares toward the Mac OS. Hmmm...writing wares for an OS based on an open-sourced kernel...yeah, there's no danger in that [/sarcasm]

      On a more serious note, please tell us you are speaking metaphorically about your lau
      • cash cow (Score:5, Insightful)

        by zogger (617870) on Saturday October 21, 2006 @09:12AM (#16527667) Homepage Journal
        Now you see why windows remains the dominant desktop. It is because by its very nature it is a tremendous cash cow, going up and down and sideways across the IT food chain. Very, very few people are altruistic enough to work as hard as they can to put themselves out of business, especially once the work involved becomes more or less easy and routine.

        Human nature, you can see it at work in a number of areas, take governments for example. It would be quite possible for governments to work towards fine tuning laws and processes to the point that they are clearly understood, as universally fair as possible, and requiring the least bit of constant interferring-they would have to fire themselves, voluntarily withdraw. It doesn't and won't happen though. Bad car analogy. Could automakers make the million mile car that was super reliable, got good mileage, had decent power, and because of that, actually be cost effective for the consumer in the long run? I bet they could, but there wouldn't be much incentive for them to remain in the car making business, as sales would dreop off severely eventually. The fixit shops would hate it. The oil companies would hate it. Stockholders would hate it.

        And so on. You are trying to balance consumer desires with business desires for repeat sales and increasing sales and peripheral sales, in an economic system that values and rewards that over even just a maintainance of the status quo mode. So it obviously doesn't happen... not much anyway.
        • Re: (Score:3, Interesting)

          by westlake (615356)
          Could automakers make the million mile car that was super reliable, got good mileage, had decent power, and because of that, actually be cost effective for the consumer..? I bet they could, but there wouldn't be much incentive for them to remain in the car making business, as sales would dreop off severely eventually. The fixit shops would hate it. The oil companies would hate it. Stockholders would hate it.

          Henry Ford thought he had the perfect car in the Model T and so it was in 1915.

          But times change. T

          • by raduf (307723)

            I used to think as you think... until I came to own a Fiat 850 (vintage '67). I'm not going to discuss performance here: newer cars are, in all ways, better and more confortable. However fiability in anything after '80 that isn't Mercedes (and probably newer Mercedeses too) is laughable. They simply aren't built to last over 10 years. Or more to the point, they're build not last over 10 years.
            You're going to tell me that this isn't so important any more, that everybody can afford a new car e
        • by Kaboom13 (235759)
          Honestly, no they can't build such a car. It is possible to build frames and chassis;s designed for very long service lifes, 50+ years if not abused, however the powertrain will still need maintenance long before that, and the interior will need to be replaced long before that also. Engines are basically controlled explosions with lots of moving parts, and even the best attempts at making ultra-long lasting and reliable engines still require plenty of maintenance. Seals wear out, metal fatigue sets in, f
    • by Ginger Unicorn (952287) on Saturday October 21, 2006 @09:14AM (#16527677)
      well i run linux, and i dont find this funny at all. windows botnets are a fucking nuisance to EVERYONE. Running mac os x or linux wont stop you receiving spam emails, or stop a website you need to use being DDOSed.
    • by Lumpy (12016)
      I make $500 a week doing this for people under the table. It supports my performance car habit quite nicely.

      I have a bartPe configured to do everythign automagically. I go over to their home, boot the Pe disk and start my apps.

      all done, remove disc, accept cash and go buy more performance car parts, Engine ECM reprogramming gear, etc...

      I love microsoft! they make me lots of money!
  • by Arkan (24212) on Saturday October 21, 2006 @08:37AM (#16527547)
    ... if virus authors are confident enough to use it as a mean to eradicate competition! This guy put enough faith in this AV to use it as defense on a compromised system. It kind of implicitly confess that, would the machine have been protected by Kaspersky, it couln't have been compromised.

    Obligatory conspiracy theory: could it be a publicity stunt from Kaspersky themselves? Naaah, I'm certainly too paranoïd.

    --
    Arkan, who don't care anyway, as long as you can't patch DLL in-memory... on GNU/Linux
    • Re: (Score:3, Interesting)

      by DarthChris (960471)
      Obligatory conspiracy theory: could it be a publicity stunt from Kaspersky themselves? Naaah, I'm certainly too paranoïd.
      Obligatory shooting down your conspiracy - if they did, they'd get sued the shit out of them. The only thing that saved Sony (during the rootkit fiasco) was their size as a corporation, and I presume Kaspersky don't have that.

      I'm more interested in seeing what Kaspersky's official response to this is.
  • by httptech (5553) on Saturday October 21, 2006 @08:39AM (#16527551) Homepage
  • by Britz (170620) on Saturday October 21, 2006 @08:59AM (#16527605) Homepage
    When the mob kills people it is usually a rival gang. They want to be the only people milking their territory for good reasons.
  • Art imitates life (Score:5, Interesting)

    by digitalhermit (113459) on Saturday October 21, 2006 @09:08AM (#16527653) Homepage
    In biology, we hear that it's generally not good to regularly use some types of anti-bacterial cleansers. After awhile they start wiping out the good or innocuos types, leading to proliferation of the undesirable types. My lawn guy says the same thing about some types of weeds; apparently they keep other, larger and hardier weeds from getting a stronghold. It's funny that in the future this may be how viruses are combated in electronic devices.
  • Oh well then (Score:3, Insightful)

    by 0racle (667029) on Saturday October 21, 2006 @09:19AM (#16527703)
    Trojan requests and loads a DLL from the author's command-and-control server. This then downloads a pirated copy of Kaspersky AntiVirus for WinGate into a concealed directory on the infected system.
    Oh well that's perfectly trustworthy isn't it. I guess we can just leave this one alone, it won't do anything it shouldn't. Is everyone who is saying this is a good thing really that stupid?
  • funny wargames (Score:4, Insightful)

    by Tom (822) on Saturday October 21, 2006 @09:41AM (#16527793) Homepage Journal
    Funny how there's a war fought over who has control of a windos PC - by multiple parties, none of which is the owner of said PC.

  • by Nyph2 (916653) on Saturday October 21, 2006 @10:07AM (#16527921)
    Heh, in 2001 I had this exact idea as part of my concept for a theoretical modular virus. Most of the things I envisioned in that concept have since been picked up by malware producers (for example, modular virii, multi-system virii, rootkits in a virus either as the main payload or to reinstall the payload(or a diff payload) after the system has been cleaned to mention a few which have gone into use on some scale since I came up with my idea), but there were a few tricks my concept had that I've yet to hear about in the wild, so I wont go into any of those details for fear of giving anyone ideas. (I have never developed, nor do I ever intend to develop this concept into an actual program. I'm morally opposed to virii... I was just thinking of the things I would be afraid to see in virii, and how one would go about dealing with something using concepts like what I envisioned.)

    It also reminds me of a sorta funny virus killer that was my precursor idea to the modular concept in 2000: a virus which uses the same 'sploit as a previous virus. The goal: download a removal package, the patch to the 'sploit you used to get in, and a package to temporarily host all of the packages. Once it does this, it simply removes the old virus, patches the system, and hosts the files for a breif period of time(prolly around a day, definately no longer than a week... could also judge how long to host it off frequency of requests for the info) to allow the virus to P2P the files rather than place the load on a central server. Could also disable the network adapter for a period of time in there if needed to make sure it doesnt get reinfected during the removal/patching phases.

    I decided against ever building such a virus-chaser because it's near as bad as the original virus. It's illegal, it could cause network congestion, and while it intends to do good, it's pretty immoral to install stuff on a system & patch it without the users consent.

    Still, a funny concept, similar in some ways to the malware this article discusses.

    PS, I know the plural of virus is viruses. Virii is just fun to say tho.
  • Why not protect your computer in the first place and not have to worry about spyware and viruses. If you are on a Windows machine and you are browsing warez or other "not so legit" sites, you better protect yourself. You would be advised to use an Anonymous Proxy [blastproxy.com] to browse such sites, as you really don't want your IP address floating around in their logs when they get busted, do you?

    Furthermore, a proxy such as the above would protect you from malicious scripts.

  • by Animats (122034) on Saturday October 21, 2006 @01:35PM (#16529305) Homepage

    This should be reported, in very clear terms, to "enforcement@sec.gov". Or on the SEC's online form [sec.gov]. Or to the SEC Division of Enforcement, 100 F Street, N.E. Washington, D.C. 20549. Because it's a felony being committed in support of a pump-and-dump stock scam.

    The stock being hyped is "TTEN", which has very low volume. The SEC can find out who was trading it just before the spam run started. That's how to find the people behind this. They can follow the money.

    So put together a comprehensive package listing all known stocks being hyped by this thing and the dates the spam began, and ship it off to the SEC. The SEC and FinCen [fincen.gov] (the U.S. Treasury Financial Crimes Enforcement Network) have the data mining tools to look at the stock transactions and find the people behind this. The SEC has gone after pump-and-dump spammers many times before, and they usually get them.

    • by raduf (307723)
      Except the guy behind it is an expert hacker. How far down the investigation would you hit a stolen identity?
      In other cases it may work, and that's reason enough to try, but this guy is just too good. Not likely he'd have made a mistake.
  • Finally! (Score:3, Funny)

    by sjames (1099) on Saturday October 21, 2006 @09:43PM (#16532835) Homepage

    It's about time someone ported Corewars to Windows!

Any program which runs right is obsolete.

Working...