February 10, 2008   Sign In |  About ebizQ |  Contact Us |  Join ebizQ Gold Club
Andre Yee
Andre Yee's Security Insider
 An open dialogue about security and compliance for the enterprise.

« Free Anti-Spyware Software | Main | Potential Problems with e-Voting »

October 26, 2006
Dueling Malware

An interesting development in the realm of malware is the battle for exclusive control of the infected host.
In recent years, we've seen how certain trojans and worms can eliminate other competing malware even while infecting the host with its specific malicious code. Here are a couple of examples -

The W32/Nachi worm would target hosts vulnerable to the W32/Lovesan (blaster) worm. In the process, it would eliminate the blaster worm and even go as far as to download the patch from the Microsoft site, protecting the host from further possible infection from the MS03-026 vulnerability. Later variants of Nachi such as W32/Nachi.worm.b would also eliminate competing viruses/worms.

Now Joe Stewart from SecureWorks writes about the Spamthru trojan that serves up spam from an infected host. It appears that Spamthru does not play nice with other spamming trojans, leveraging the Kaspersky Antivirus to eliminate other malware on the system while leaving its own in place. Here's what Joe tells us how Spamthru does
this -

"SpamThru takes the game to a new level, actually using an antivirus engine against potential rivals. At startup, SpamThru requests and loads a DLL from the control server. This DLL in turn downloads a pirated copy of Kaspersky AntiVirus for WinGate from the control server into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL in order to avoid having Kaspersky refuse to run due to an invalid or expired license. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation. Any other malware found on the system is then set up to be deleted by Windows at the next reboot. "

Of course, Spamthru also does bad stuff like acting as a proxy for spammers as well as serve up obfuscated spam using GIF randomization techniques.

This cannot be a good sign when malware like trojans, worms and spam/spyware engines have to compete for hosts. Do you think we have a serious problem?

Posted by andreyee in Odds and Ends |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/871

Comments Post a comment




Remember Me?

(you may use HTML tags for style)

We ask that you type your code (displayed below) in the text box.This code is an image that cannot be read by a machine. It prevents automated programs from submitting comments.


Code:



Most Recent ebizQ Blog Entries
ADVERTISEMENT
RSS Subscription

Recent Posts
Categories
Archives
Blog Roll
This Work
Accountability:The opinions expressed in this blog are solely representative of the blog's author, and not of ebizQ
Subscribe to our Newsletters
ebizQ Weekly Gold Club Update
Live Webinar Updates
Updates from ebizQ Partners
ebizQ SOA Update
ebizQ BPM Update
ebizQ Security Update
ebizQ BI Update
ebizQ Open Source Software Update
Virtual Show Newsletter
Your E-mail Address:
BAM: The Killer App for CEP
Date: Feb 12, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Event Processing Market Pulse
Date: Feb 14, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Archived Webinars | Upcoming Webinars

Marketing Solutions | Feedback | About ebizQ | Unsubscribe | Privacy Policy | Site Map