Trojan Installs Antivirus Software To Boot Competition Off PC
According to Joe Stewart of Atlanta-based SecureWorks, the SpamThru Trojan adds a pirated copy of Kaspersky Lab's AntiVirus for WinGate to a cloaked folder on the compromised machine. The illegitimate anti-virus program scans the system for malicious code -- passing over SpamThru's own files -- and then deletes what malware it finds when the PC next boots.
Typical Trojan techniques stop at disabling existing anti-virus software, preventing AV products from retrieving signature updates, and to defeat the competition, blocking specific pieces of malware. "SpamThru takes the game to a new level," said Stewart in an online brief posted last week on the SecureWorks' Web site. "Ten minutes after the download of the DLL, it begins to scan the system."
SpamThru exhibits other sophisticated strategies, added Stewart, including using peer-to-peer (P2P) style command and control rather than the usual IRC (Internet Relay Chat). P2P control, which is being noticed in a growing number of Trojans, lets the creator maintain command even if most of the network of infected PCs is shut down.
"In case the control server is shut down, the spammer can update the rest of the peers with the location of a new control server, as long as he/she controls at least one peer," said Stewart.