Trojan Installs Anti-Virus, Removes Other Malware

An anonymous reader writes "SpamThru takes the game to a new level. The new virus uses an anti-virus engine to remove potential 'rival' infectious code." From the article: "At start-up, the Trojan requests and loads a DLL from the author's command-and-control server. This then downloads a pirated copy of Kaspersky AntiVirus for WinGate into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL to avoid having Kaspersky refuse to run due to an invalid or expired license, Stewart said. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation."

A wise move

[Andy_R]

Any system that is badly protected enough to get infected is probably already bogging down and in danger of the user getting it fixed. This is probably a very good strategy to improve the usefulness of the machine to the hijacker, and reduce the chances of the user doing anything about the infection. I'm surprised this hasn't happened before.

At least we know who knows who the operator is!

[MavEtJu]

During his analysis, Stewart found that SpamThru was being used to operate a spam-based pump-and-dump stock scheme.

Add one and one together, and you know who the operator of the botnet is.

Sounds like ..

[Anonymous Coward]

an extreme way of removing Norton's Anti-Virus ??!!

How can it have gotten to this stage?

[Anonymous Coward]

Spam is a Microsoft problem, they market software to users that are neither capable or responsible. It's annoying because those of us who can use computers and are willing to take responsibility will be marginalized by Microsoft's cure; TCPA.

This is really bad actually

[majortom1981]

Why is evertybody saying this is a good thing.This could be very bad. A virus or any malware that disguises itself as an antivirus would not be detected by anti virus programs. ITs actually very clever. Your machine would be infected and you might not even know it. Especially if you normally run kapersky.

Re:This sounds good

[MooUK]

Because that's not the only thing it does. If it was, I'd definitely consider it a good thing to infect all those without up-to-date antivirus software with.

Re:This sounds good

[dangitman]

... And this is a bad thing, why?

Uhhh, because it installs its own malware? Why do you think it's a good thing to have some scam software installed on your machine?

Re:At least we know who knows who the operator is!

[raduf]

I'm wondering if this is really an organisation's work. Stock schemes sound like the kind of think that doesn't require clients or large resources. Could be a lone programmer somewhere, making money on his own.

Re:This is great!

[raduf]

How long will it be before somebody lobotomizes this to just install the anti-virus? Could be a new age in the spam wars...

Re:This is really bad actually

[badpazzword]

A virus or any malware that disguises itself as an antivirus would not be detected by anti virus programs.

Good antivirus programs scans whatever you tell it to. If you tell them to ignore executables or use some sort of whitelisting, then we have a "User error. Replace the user and press any key to continue."

Mobsters do the same

[Britz]

When the mob kills people it is usually a rival gang. They want to be the only people milking their territory for good reasons.

cash cow

[zogger]

Now you see why windows remains the dominant desktop. It is because by its very nature it is a tremendous cash cow, going up and down and sideways across the IT food chain. Very, very few people are altruistic enough to work as hard as they can to put themselves out of business, especially once the work involved becomes more or less easy and routine.

Human nature, you can see it at work in a number of areas, take governments for example. It would be quite possible for governments to work towards fine tuning laws and processes to the point that they are clearly understood, as universally fair as possible, and requiring the least bit of constant interferring-they would have to fire themselves, voluntarily withdraw. It doesn't and won't happen though. Bad car analogy. Could automakers make the million mile car that was super reliable, got good mileage, had decent power, and because of that, actually be cost effective for the consumer in the long run? I bet they could, but there wouldn't be much incentive for them to remain in the car making business, as sales would dreop off severely eventually. The fixit shops would hate it. The oil companies would hate it. Stockholders would hate it.

And so on. You are trying to balance consumer desires with business desires for repeat sales and increasing sales and peripheral sales, in an economic system that values and rewards that over even just a maintainance of the status quo mode. So it obviously doesn't happen... not much anyway.

Re:Buy a Apple MacIntosh

[Ginger Unicorn]

well i run linux, and i dont find this funny at all. windows botnets are a fucking nuisance to EVERYONE. Running mac os x or linux wont stop you receiving spam emails, or stop a website you need to use being DDOSed.

Re:This is great!

[risk one]

I think that in the blaster days there was a copycat worm that downloaded the microsoft anti-blaster patch and installed it (in fact I know there was, because I got 'hit' with it).

It's a nice way to fight zombies, and it might go some way to doing what legal/conventional means have failed to do by using the same viral nature of the original malware to clean the internet up. (While still trying to copy itself from cleaned pc's). The only problem with this is (besides the ethical bit about fighting fire with fire, which I don't really care about) is that the users won't know about it.

Getting infected to the point of having to have somebody clean your system up and install ativirus/firewall/antispyware and a safe browser and email client is a learning experience about how dangerous the internet is these days. If people have their system cleaned up without realizing it, the system may be clean but the people are none the wiser. The best thing, I think would be to install free (as in beer) software, hiding it just until all scans are done and the system has been cleaned and protected, and then, informing the user in some clear way what has happened and what they can do about preventing it in the future, and that they should probably get their system checked out by a human. It would have to do so in some way that doesn't get mistaken for a web-ad, like replacing the wallpaper with the message.

The problem with this scheme of course is that once they get their machine cleaned out the machine won't be spreading the worm anymore and it will lose out to other worms that have the luxury of staying completely still. Maybe if you let the worm hide for two weeks, and then inform the user...

Oh well then

[0racle]

Trojan requests and loads a DLL from the author's command-and-control server. This then downloads a pirated copy of Kaspersky AntiVirus for WinGate into a concealed directory on the infected system.

Oh well that's perfectly trustworthy isn't it. I guess we can just leave this one alone, it won't do anything it shouldn't. Is everyone who is saying this is a good thing really that stupid?

funny wargames

[Tom]

Funny how there's a war fought over who has control of a windos PC - by multiple parties, none of which is the owner of said PC.

The know-it-all Geek's flexible ethics

[westlake]

Why is everybody saying this is a good thing.

It's a fair question.

Software that installs without the user's knowledge or consent is by definition malware.

Microsoft asks users to temporarily disable AV when installing IE7 because the installer makes complex changes to the Registry. The install can be trashed by something as simple as an out-of-date signature file.

Trouble shooting conflicts with AV software can be a nightmare for non-technical end users and Kaspersky is no exception: Kapersky Lab Forums > Protection for Home Users [kaspersky.com]

Where does that leave the user who doesn't know and cannot know that KAV is resident on his system?

Re:Potential for good, and evil

[Jessta]

Removing other malicious software doesn't make the machine at all secure. It just eventually frees up computing resources to the malicious software controller has a more efficient botnet.

Re:This is great!

[raduf]

The only problem with this approach is that it's illegal. And not just in the sense it's "not nice", it's actually risky: one machine in a thousand may get broken, and the owner can sue you. So anything you do you do as a criminal, meaning both risk and absolutely no recognition. I don't think many would do something as difficult for free and completely anonymous. People are just not that altruistic.

The official approach, Automatic Updates, is almost as good. Unfortunately Microsoft's main motivation is to make money, and working software is only a side effect (I don't find anything evil in that btw, MS has done more for IT then any other company). So the system isn't perfect, updates may be late or Automatic Updates may not be enabled. The "virus" way is better because if affects exactly the kind of targets normal trojans do. Bigger the disease, better the cure. It's almost biological in nature.

The problem with this scheme of course is that once they get their machine cleaned out the machine won't be spreading the worm anymore and it will lose out to other worms that have the luxury of staying completely still. Maybe if you let the worm hide for two weeks, and then inform the user...

Why? If the machine gets cleaned means it won't be infected anymore, but the existing software can function very well. That's why a compromised machine is compromised forever: you never know what may be lurking in there.

A virus that removes DRM ... good or bad?

[Anonymous Coward]

>> It patches the license signature check in-memory in the Kaspersky DLL to avoid having Kaspersky refuse to run due to an invalid or expired license.

Well if it weren't for the fact that it also hijacks your box, that might be seen as very useful functionality by many!

Taking this to a new level, I forsee white hats sending their own viruses out into the wild, which then battle it out with "bad" viruses and also exterminate other evils of today ... DRM and license locks included.

It might even help fight the RIAA extortion racket if P2P viruses were doing uploads. When your machine has been infected by a third party, then culpability by the machine owner is no longer certain.

What would be the requirements for an anti-worm?

[khasim]

I like the idea of dis-infecting a machine that was trying to infect your machine.

Would it also be advantageous to have the now worm-free machine to also perform that function?

If "yes" would you want to be especially helpful and place a removal icon in the "Add/Remove Programs" section so that that functionality could be removed?

If "no", why not? Other than the bit about installing software on someone else's machine?

I would NOT want the anti-worm to probe the network. This sounds good in theory, but in practice, any amount of scanning will become a problem as the number of machines doing the scanning increases. Sure, they only consume 0.1% of your bandwidth today. But when there are 10x more machines, 100x more machines, etc.

Any suggestions?

Re:This is great!

[Durzel]

Although it may not have applied in this case there could also have been technical reasons why a patch wasn't applied, it certainly wouldn't be the first time that a patch - even a MS one - has caused complications in other software that is installed. Automatically assuming the sysadmin is incompetent and patching their system for them and potentially breaking their business-critical application suite is not "a good thing" imo.

A better solution would've been to flash a message up on screen basically saying something along the lines of "I got in to your system because it has a vulnerability - either patch it or block the listening port to trusted hosts only or next time the real virus might get in" might've been a better solution.

Re:Potential for good, and evil

[gad_zuki!]

>It just eventually frees up computing resources to the malicious software controller has a more efficient botnet.

Give the man a cigar. This is exactly like parasites which strengthen their host.

Re:Hmm..

[kryptkpr]

This wouldn't make sense, because anti-virus vendors would then be able to take advantage of the same signature to prevent all of his future viruses.

Re:Potential for good, and evil

[inviolet]

Give the man a cigar. This is exactly like parasites which strengthen their host.

Perhaps this is the future of the internet? A competition among virus authors to keep their host machines clean of competing viruses?

Considering what an unbelievable resource hog my antivirus software is, in the future I might actually do better to let my machine get infected and rely on the infection to symbiotically keep everything else off.

It's the merger of computation and biology. And it might be more efficient than paying a discrete third-party for antivirus software. Think of it as paying for your antivirus protection with CPU cycles rather than dollars.