Trojan Installs Anti-virus, Surprised!
SpamThru has a unique P2P protocol to dispense the information in other compromised or bot-infected machines. In the process, the command-&-control server becomes shut down. But the hacker can redirect drudged compeers to new commanding server.
SpamThru protects itself from anti-virus program by rewriting host's file on corrupt machines so that virus updates cannot be found. This Trojan utilizes its own anti-virus system to remove the other malware in the machine as these might contend for the resources or, expose the corrupt machine.
Senior Security Researcher at SecureWorks, Stewart, said that he has never seen a thing like this before. It is original-it keeps all the resources of system for itself, as it has to contend with a virus that do mass mailing. This Trojan actually put a barrier on the amount of spam these mass mailing virus can send.
SpamThru has its own Advanced Encryption Standard (AES) encryption protected template-impelled spamming engine. SpamThru can generate random spam impressions to beat the detection methods that are pattern-based.
Stewart writes that although they have seen machine-driven spam networks established by malware (Bobax, Sober, Bagle etc) earlier also but this is from the more sophisticated lot. The project gives fight to commercial software, as it is complex and has a great scope. Clearly, the hackers have invested a good amount in infrastructure to maintain the income level.
SpamThru use an anti-virus program against the potential opponents. In beginning, this Trojan requests and downloads a DLL (Dynamic Link Library) from the writer's command-&control server. Then it downloads a plagiarized copy of Kaspersky antivirus for 'WinGate' into a hidden directory on the compromised system.
It modifies the license signature check in the Kaspersky DLL so that it refuses to work due to an expired or invalid license, said Stewart. After 10 minutes of download of DLL, it starts scanning the machine for malware skipping files that are a part of its own establishment.
Stewart writes further that sometimes we notice very interesting things in a specific part of malware. One such part is Trojan, sometimes known as Troj/SpamThru, among its other names.
Related article: Trojans to Target VoIP in 2006
» SPAMfighter News - 25-10-2006