Trojan Horse uses KAV to secure!

Hi malware fighters,

A security researcher has found a Trojan that installs a virusscanner to clean other malware from the infected system or to prevent further infections. The “SpamThru trojan” uses Kaspersky anti-virus engine to secure hijacked systems.

In the past we have found various malware that tries to remove competitive malware, but it is the first time it is done in such a way… “Of course malware authors know what has the best detection rate, and that must be the reason for choosing KAV” Joe Stewart adds.

While starting the system SpamThru loads a DLL from the controling server. This DLL downloads an illegal Kaspersky AntiVirus version and puts it into a hidden file. Then the license signature of the Kaspersky DLL is being patched, so new signatures can be downloaded. Ten minutes after downloading the whole system is being scanned, so that additional malware can be removed at reboot. The full analysis of this particular Trojan can be found here:
http://www.secureworks.com/analysis/spamthru/

polonus

Not a good sign. Glad I’m using avast!

Hi bob3169,

But there is more wrong with KAV, read here: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=425
That is two reasons for you,: - malware artists using a pirated version , -
and a hole in the software.

Not good at all, no…not good at all!

polonus

Well i don’t see anything wrong at this point. Ok, downloading illegal KAV version is not ok, but parasitic cleaning “trojan” is nothing else than effective antidote. If it really just cleans the stuff.
If junk can spread so effectivelly, why shouldn’t antidotes too?
Imo this is the way to go. Wrong or not wrong, it just works the same way like malware works. Except it has good purpose and effect…


Yes, but since it is a malware trojan, what is it up to after it cleans off it’s competition? SPAM! :o So, how is nothing wrong at this point? ???


that security hole was patched already

and what prevent trojan users use e.g. patched ClamAV, Bitdefender, Avast etc…

nothing … this is just another form of PR …