Posted by Virus Bulletin on Oct 24, 2006
Scanner software used to keep out rival malware.
A trojan has been reported in the wild using a genuine AV engine to keep its victims' machines free from other threats. This variant of the 'SpamThru' trojan uses a pirated version of Kaspersky's KAV for Wingate product.
As well as standard techniques to ensure it keeps running using registry keys, and blocking updates of AV software installed on the machine by doctoring the hosts file, the peer-to-peer-controlled trojan downloads and installs a hacked version of KAV from its command server, and proceeds to check the machine for other malware, excluding its own files and processes from the scan.
While other malware has targetted specific rivals with built-in process-killing and file-deleting routines, or using freely-available dedicated removal tools, and many spyware applications have used a bogus 'spyware scanner' as a vector, this is thought to be the first time an attacker has used genuine AV software to protect machines infected by his own creation from being taken over by rival malware. With control of the machine secured, it is used to send out spam campaigns.
See some commentary on the trojan on the Kaspersky blog, and some in-depth analysis from SecureWorks.
Posted on 24 October 2006 by Virus Bulletin
