Trojan Installs Anti-Virus, Removes Other Malware 202
An anonymous reader writes "SpamThru takes the game to a new level. The new virus uses an anti-virus engine to remove potential 'rival' infectious code." From the article: "At start-up, the Trojan requests and loads a DLL from the author's command-and-control server. This then downloads a pirated copy of Kaspersky AntiVirus for WinGate into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL to avoid having Kaspersky refuse to run due to an invalid or expired license, Stewart said. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation."
Hmm.. (Score:4, Funny)
Cyclons? I hear they are hot!
Re:Hmm.. (Score:5, Funny)
But I do agree that this guy is either extremely forward thinking, or a madman. His own virus could prevent any further viruses he writes... That's... Stupid.
I was immediately outraged at the illegal install of software, but then I remembered the virus itself was illegal anyhow, so it didn't much matter. It's like murdering everyone in a church on Sunday, and then spraypainting graffiti on the walls. Somehow, it's just not that much worse.
Re:Hmm.. (Score:5, Funny)
Why spraypaint when you can use all the blood - it just look so much cooler, uh, wait...
Re: (Score:2)
Re: (Score:2, Informative)
Re:Hmm.. (Score:4, Insightful)
Legalities (Score:4, Informative)
I wonder, though, if a retaliatory disinfector, or even a "beneficial nematode", would be legal?
This would be a server that not only detects and blocks worm infection attempts, but responds (using one of the vulnerabilities exploited by the original malware or one it installs - which are known to exist due to the malware's presence) by disabling the malware in the attacking computer, and perhaps patching the vulnerabilities exploited by the malware and/or (in the "beneficial nematode" case) copying itself to it. The former attacker is now no longer attacking, is protected from reinfection by the secondary infection, and perhaps becomes another source of counter-attacks.
Since it only counter-attacked, and even a passively-blocked attack without a counter-attack consumes resources (amounting to a DoS if sufficiently large and persistent), it could be argued that the counter-infection falls under the same principle as the use of force in self-defence. Or perhaps a "necessity defence" could be argued.
Of course one would have to be especially careful when designing such a self-reproducing tool. A significant issue would be accidental escape into the wild of a buggy version early in the development. Timeouts or "hayflick limit" reproduction counters seem advisable. And building them on pirated antiviral tools would be out of the question.
IANAL. Does anybody out there have a more informed opinion?
because AVG does NOT work better (Score:4, Interesting)
(Reminds me of a funny story, though. My friend's computer was acting up, in some very odd and rather annoying ways. I tsk-tsked him, implying that he probably caught himself some kind of infection. He went "no, no, this legit copy of Norton I have would have seen it." I took his hard drive out, threw it in my machine, and Kaspersky Labs immediately started deleting. Once the massive infection (mainly of worms) was gone, we put it back in his box, and his Win2k install ran with significantly less hassle; all those mysterious problems were gone, howabout that. Norton, thoughout all of this, just smiled into space like an idiot. And don't get me started on McAfee!)
Kasperksy is also quite configurable for ignoring certain files, and has a rather robust system for doing so; I find it handy myself, considering that I have quite a few programs that have the kinds of engines in them that might be detected heuristically by Kaspersky as being virus-y, for lack of a better term (for example, the smtp engine in anonymail is the kind of setup that a worm might use for using a computer to randomly mail copies of itself around). So if this piece of kinda-mal-ware is to survive its own medicine, that sort of functionality is rather useful (I haven't used AVG for about a year now, but when I last used it I remembered a lack of that kind of breadth of deliberate "leave such-and-such alone).
You're right though, that adding copyright infringement ontop of this is a bit of an issue, but under the circumstances it's an issue of contempt for the end-user anyways. Not saying whether that's justified or not, just that it's deliberately out of the control of whomever owns the infected computer, so it's not like *they'd* be liable anyways . . .
Actually, hey, maybe the creator really likes AVG and doesn't want to give it bad press? There's quite a few possible reasons for this choice, thinking about it.
Re: (Score:2)
They rebelled
They evolved
There are many copies
And they have a plan
Potential for good, and evil (Score:5, Funny)
Re: (Score:2)
Re:Potential for good, and evil (Score:5, Interesting)
I wouldn't say that. I must say that in principle I am against all software which you can't control and know the nature of, but if you've got infected by this then you may well have got infected by a whole host of other viruses - so this seems like a good thing.
Re:Potential for good, and evil (Score:5, Insightful)
Re:Potential for good, and evil (Score:4, Interesting)
If it's a choice i'll take the latter... Of course if there was an option which was open-source and didn't have it's own malware then maybe we'd really be on to a winner.
Re: (Score:3, Insightful)
Give the man a cigar. This is exactly like parasites which strengthen their host.
Re: (Score:3, Insightful)
Perhaps this is the future of the internet? A competition among virus authors to keep their host machines clean of competing viruses?
Considering what an unbelievable resource hog my antivirus software is, in the future I might actually do better to let my machine get infected and rely on the infection to symbiotically keep everything else off.
It's the merger of computation and biology. And it might be more efficient than p
Re: (Score:3, Informative)
A) It does so without you being aware.
B) It illegally installs software that you do not have a license for.
C) Most modern viruses and trojans are so complex that the only way to remove them is by disabling system restore and running thorough scans in safe mode and/or boot time scans.
So not only do you have no control over it and become an "unexpected software pirate", but you likely don't even get rid of the other trojans/viruses o
Re: (Score:3, Funny)
Re:Potential for good, and evil (Score:5, Informative)
Copyright Infringement Alarm!!!
A bit amusing in the context, but let's be fair here, when you post someone elses work, please give them credit!
This is RMS's 'Right to Read'. It is copyrighted under a very free license. All you have to do is give credit to the writer. That is something most people do without thinking, because it is the Right Thing to Do.
Anyway, in case the AC gets modded into copyright infringement hell, the orignal text, aswell as some updated comments are available here [gnu.org]. It's an interesting read.
Re:Potential for good, and evil (Score:5, Funny)
If *that* were true, it would have installed NAV.
*cough*
A wise move (Score:5, Insightful)
Re:A wise move (Score:5, Interesting)
User: "I didn't install it! I swear!"
BSA: "Yea right, it just installed itself...."
Re:A wise move (Score:5, Funny)
Re: (Score:2)
The BSA has no authority to hassle you unless you give it to them.
(AFAIK)
Re: (Score:3, Funny)
That's like dark glasses, false moustache, hat, black leather jacket?
Coming up next... (Score:5, Interesting)
Re: (Score:2)
At least we know who knows who the operator is! (Score:4, Insightful)
Add one and one together, and you know who the operator of the botnet is.
Er.... (Score:5, Funny)
Re:Er.... (Score:5, Funny)
However, (Score:2)
Re: (Score:3, Insightful)
A Trojan that Installs Anti-Virus & removes ot (Score:5, Funny)
Re:A Trojan that Installs Anti-Virus & removes (Score:2)
Not that I'd ever use it given the choice.
Re:A Trojan that Installs Anti-Virus & removes (Score:2)
Sounds good! (Score:5, Funny)
Re: (Score:2, Funny)
Darwin, Schmarwin (Score:5, Funny)
In other words, God spams.
He Is That He Is has simply moved on from meat-based proselytizing and entered the so-called Cyber Age, as was foreseen in Deuteronomy 4:20, Revelations 1:1415, and Glossary 36:D.
Re: (Score:2)
Great Idea! (Score:5, Funny)
This is really bad actually (Score:4, Insightful)
Re: (Score:2, Insightful)
The know-it-all Geek's flexible ethics (Score:3, Insightful)
It's a fair question.
Software that installs without the user's knowledge or consent is by definition malware.
Microsoft asks users to temporarily disable AV when installing IE7 because the installer makes complex changes to the Registry. The install can be trashed by something as simple as an out-of-date signature file.
Trouble shooting conflicts with AV software can be a nightmare for non-technical end users and Kaspersky is no exception: Kapersky Lab Forums [kaspersky.com]
Other information about this... (Score:5, Informative)
* Backdoor.Win32.Agent.uu
* Spam-DComServ
* TROJ_AGENT.BOR
Removal instructions can also be found here [sophos.com]
Buy a Apple MacIntosh (Score:3, Interesting)
Re: (Score:2, Interesting)
On a more serious note, please tell us you are speaking metaphorically about your lau
cash cow (Score:5, Insightful)
Human nature, you can see it at work in a number of areas, take governments for example. It would be quite possible for governments to work towards fine tuning laws and processes to the point that they are clearly understood, as universally fair as possible, and requiring the least bit of constant interferring-they would have to fire themselves, voluntarily withdraw. It doesn't and won't happen though. Bad car analogy. Could automakers make the million mile car that was super reliable, got good mileage, had decent power, and because of that, actually be cost effective for the consumer in the long run? I bet they could, but there wouldn't be much incentive for them to remain in the car making business, as sales would dreop off severely eventually. The fixit shops would hate it. The oil companies would hate it. Stockholders would hate it.
And so on. You are trying to balance consumer desires with business desires for repeat sales and increasing sales and peripheral sales, in an economic system that values and rewards that over even just a maintainance of the status quo mode. So it obviously doesn't happen... not much anyway.
Re: (Score:3, Interesting)
Henry Ford thought he had the perfect car in the Model T and so it was in 1915.
But times change. T
Re: (Score:2)
I used to think as you think... until I came to own a Fiat 850 (vintage '67). I'm not going to discuss performance here: newer cars are, in all ways, better and more confortable. However fiability in anything after '80 that isn't Mercedes (and probably newer Mercedeses too) is laughable. They simply aren't built to last over 10 years. Or more to the point, they're build not last over 10 years.
You're going to tell me that this isn't so important any more, that everybody can afford a new car e
Re: (Score:2)
Re:Buy a Apple MacIntosh (Score:5, Insightful)
Re: (Score:2)
I have a bartPe configured to do everythign automagically. I go over to their home, boot the Pe disk and start my apps.
all done, remove disc, accept cash and go buy more performance car parts, Engine ECM reprogramming gear, etc...
I love microsoft! they make me lots of money!
Says a lot about Kaspersky... (Score:5, Interesting)
Obligatory conspiracy theory: could it be a publicity stunt from Kaspersky themselves? Naaah, I'm certainly too paranoïd.
--
Arkan, who don't care anyway, as long as you can't patch DLL in-memory... on GNU/Linux
Re: (Score:3, Interesting)
I'm more interested in seeing what Kaspersky's official response to this is.
Link to the actual research (Score:5, Informative)
Mobsters do the same (Score:5, Insightful)
Art imitates life (Score:5, Interesting)
Oh well then (Score:3, Insightful)
funny wargames (Score:4, Insightful)
Re: (Score:2)
reminds me of some of my old ideas (Score:3, Interesting)
It also reminds me of a sorta funny virus killer that was my precursor idea to the modular concept in 2000: a virus which uses the same 'sploit as a previous virus. The goal: download a removal package, the patch to the 'sploit you used to get in, and a package to temporarily host all of the packages. Once it does this, it simply removes the old virus, patches the system, and hosts the files for a breif period of time(prolly around a day, definately no longer than a week... could also judge how long to host it off frequency of requests for the info) to allow the virus to P2P the files rather than place the load on a central server. Could also disable the network adapter for a period of time in there if needed to make sure it doesnt get reinfected during the removal/patching phases.
I decided against ever building such a virus-chaser because it's near as bad as the original virus. It's illegal, it could cause network congestion, and while it intends to do good, it's pretty immoral to install stuff on a system & patch it without the users consent.
Still, a funny concept, similar in some ways to the malware this article discusses.
PS, I know the plural of virus is viruses. Virii is just fun to say tho.
Great, get busted for having pirated software (Score:2, Interesting)
Why not protect your computer in the first place and not have to worry about spyware and viruses. If you are on a Windows machine and you are browsing warez or other "not so legit" sites, you better protect yourself. You would be advised to use an Anonymous Proxy [blastproxy.com] to browse such sites, as you really don't want your IP address floating around in their logs when they get busted, do you?
Furthermore, a proxy such as the above would protect you from malicious scripts.
Report to "enforcement@sec.gov" (Score:3, Informative)
This should be reported, in very clear terms, to "enforcement@sec.gov". Or on the SEC's online form [sec.gov]. Or to the SEC Division of Enforcement, 100 F Street, N.E. Washington, D.C. 20549. Because it's a felony being committed in support of a pump-and-dump stock scam.
The stock being hyped is "TTEN", which has very low volume. The SEC can find out who was trading it just before the spam run started. That's how to find the people behind this. They can follow the money.
So put together a comprehensive package listing all known stocks being hyped by this thing and the dates the spam began, and ship it off to the SEC. The SEC and FinCen [fincen.gov] (the U.S. Treasury Financial Crimes Enforcement Network) have the data mining tools to look at the stock transactions and find the people behind this. The SEC has gone after pump-and-dump spammers many times before, and they usually get them.
Re: (Score:2)
In other cases it may work, and that's reason enough to try, but this guy is just too good. Not likely he'd have made a mistake.
The last guy to try this is in jail (Score:5, Informative)
Let's take a look at the career of last year's big pump-and-dump spammer:
"Computer Virus Broker Arrested for Selling Armies of Infected Computers to Hackers and Spammers [cybercrime.gov]
"Pump-and-dump spam domains go silent after botnet closure" [theregister.co.uk]
Spammers register pump-and-dump spam domains for use in spam runs. These domains are commonly discarded after a few days. The tactic is commonplace but the the arrest of alleged botmaster Jeanson James Ancheta, 20, of Downey, California, on 3 November has been accompanied by a radical shift in the landscape. "Up to recently, the graphs were all fairly smooth, with the stats showing that 12 days was about the maximum lifetime for this type of domain, while 30 per cent only lasted a day or under, and 10 per cent only lasted three hours or under," Shipp said. "This kind of activity just disappeared completely from the radar on 2 November."
Following up:
"Botnet Creator Pleads Guilty, Faces 25 Years" [techweb.com]
Federal Bureau of Prisons Inmate Locator [bop.gov]
California City Prison [clui.org]: "This medium security desert prison opened in 2000, and is a stunning sight, either by day when its monolithic forms stand out on the desert pavement like ancient Egyptian architecture, or by night when floodlights bathe the gleaming facility in an orange glow which can be seen from as much as 30 miles away."
Next spammer, please.
Finally! (Score:3, Funny)
It's about time someone ported Corewars to Windows!
Re:This is great! (Score:5, Funny)
There's a reason for all those extra cores in the upcoming processors.
Re:This is great! (Score:5, Funny)
It should be noted though, that a "Virus Accelerator Board" is not a very good name from a marketing perspective!
Re: (Score:2)
You just have to put a nice marketing spin on the name... Like "Internet App Accelerator" or "Web code facilitator", etc.
Re: (Score:2, Funny)
Yep. That.
Re:This is great! (Score:5, Funny)
Re: (Score:3, Interesting)
Imagine, then, a cheap processor (an Intel embedded-grade unit, for instance, running about 100-150 mhz) connecting to a new slot on the motherboard that runs background virus scans while your HD(s) is(are) idle. Got sensitive data or a long vulnerability list? Drop fifty, hundred bucks and upgrade the card.
CPU load isn't the only reason for this
Mod parent up! (Score:2)
Particularly if it could correctly defrag the system files when the system boots. Yes, I know there are defrag utilities that do so. But my users complain enough about delays. And none of those utilities seem to work, anyway.
==
This comment posted using 100% Ubuntu, Edgy Eft.
Re: (Score:3, Funny)
Re: (Score:3, Interesting)
Re:This is great! (Score:5, Interesting)
While I never actually did this, mostly due to lack of time and for fear of possible lawsuit, it was certainly possible. So now it's a reality, thanks to... whoever. I think it's a Good Thing.
Re:This is great! (Score:5, Insightful)
Re:This is great! (Score:5, Insightful)
It's a nice way to fight zombies, and it might go some way to doing what legal/conventional means have failed to do by using the same viral nature of the original malware to clean the internet up. (While still trying to copy itself from cleaned pc's). The only problem with this is (besides the ethical bit about fighting fire with fire, which I don't really care about) is that the users won't know about it.
Getting infected to the point of having to have somebody clean your system up and install ativirus/firewall/antispyware and a safe browser and email client is a learning experience about how dangerous the internet is these days. If people have their system cleaned up without realizing it, the system may be clean but the people are none the wiser. The best thing, I think would be to install free (as in beer) software, hiding it just until all scans are done and the system has been cleaned and protected, and then, informing the user in some clear way what has happened and what they can do about preventing it in the future, and that they should probably get their system checked out by a human. It would have to do so in some way that doesn't get mistaken for a web-ad, like replacing the wallpaper with the message.
The problem with this scheme of course is that once they get their machine cleaned out the machine won't be spreading the worm anymore and it will lose out to other worms that have the luxury of staying completely still. Maybe if you let the worm hide for two weeks, and then inform the user...
Re:This is great! (Score:5, Informative)
That would be Welchia:
http://www.symantec.com/security_response/writeup
The only bad thing about Welchia (aside from it installing patches on your system without your permission) was that it did not throttle its traffic when it came to looking for new machines to patch. It flooded or swamped network segments as it probed new machines to work on. If Welchia had been a little more subtle with its scanning, Welchia's presence would have been less of an issue.
Re: (Score:2)
What would be the requirements for an anti-worm? (Score:5, Insightful)
Would it also be advantageous to have the now worm-free machine to also perform that function?
If "yes" would you want to be especially helpful and place a removal icon in the "Add/Remove Programs" section so that that functionality could be removed?
If "no", why not? Other than the bit about installing software on someone else's machine?
I would NOT want the anti-worm to probe the network. This sounds good in theory, but in practice, any amount of scanning will become a problem as the number of machines doing the scanning increases. Sure, they only consume 0.1% of your bandwidth today. But when there are 10x more machines, 100x more machines, etc.
Any suggestions?
Re: (Score:3, Insightful)
A better solution would've been to flash a message up on screen basically saying
Re: (Score:2)
Your assuming two things that may not be true.
1. That the computer is not a network resource(server), and that someone will actually check on it in a reasonable amount of time.
2. That the user will not
Re:This is great! (Score:4, Insightful)
The official approach, Automatic Updates, is almost as good. Unfortunately Microsoft's main motivation is to make money, and working software is only a side effect (I don't find anything evil in that btw, MS has done more for IT then any other company). So the system isn't perfect, updates may be late or Automatic Updates may not be enabled. The "virus" way is better because if affects exactly the kind of targets normal trojans do. Bigger the disease, better the cure. It's almost biological in nature.
The problem with this scheme of course is that once they get their machine cleaned out the machine won't be spreading the worm anymore and it will lose out to other worms that have the luxury of staying completely still. Maybe if you let the worm hide for two weeks, and then inform the user...
Why? If the machine gets cleaned means it won't be infected anymore, but the existing software can function very well. That's why a compromised machine is compromised forever: you never know what may be lurking in there.
Re:This is great! (Score:4, Interesting)
Re:This is great! (Score:4, Interesting)
In fact, I think there's a much larger percentage where something-bad-and-visible-happening-to-the-machin
Remember: 10 years ago, the script kiddies taking over your machine wanted to shut it down, just to show you who's boss. Today, the organized criminals taking over yourr machine want it to stay up, so they can push as much spam out as possible.
Re:This is great! (Score:4, Interesting)
Re: (Score:2)
Basically a sexually transmitted AIDS vaccine...
Re:This is great! (Score:4, Funny)
Wait...what's that "annoying as hell" flashing icon in my taskbar for...?
Re:This is great! (Score:5, Informative)
You seem to say that as a joke, but I will answer seriously - you should. Just because you use Linux doesn't mean that you won't get rootkit'd... I'm not sure about Kubuntu, but with fedora it comes as a default with SSH runing and allowing root login - if you don't stop that
You should put something like RKhunter on a clean install ideally so you can keep a check on whats going on. Also chkrootkit is quite good, although I find it a lot harder to read.
Just get rid of it altogether (Score:3, Funny)
Re:This sounds good (Score:4, Insightful)
Re:This sounds good (Score:4, Insightful)
Uhhh, because it installs its own malware? Why do you think it's a good thing to have some scam software installed on your machine?
Re:Sounds like .. (Score:5, Funny)
Re: (Score:2, Funny)
Re: (Score:3, Interesting)
I haven't had to uninstall it from friend's machines recently (so it might have gotten better, or worse) but I have fond memories of that thing. Reminded me of the headcrabs in HL2.
Re: (Score:2)
Are you referring to the SpamThru trojan, the Symantec Anti-Virus Suite, or Windows itself? It's hard to tell....
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Funny)
People have joked for years about releasing a worm that patches Windows systems by installing $LINUX_DISTRIBUTION, this thing just brings us one step closer