RSS

SpamThru Trojan Includes AV Software

David Utter
Staff Writer
2006-10-24

Insider Reports RSS Feed

The sophistication of malware showed a dramatic increase with the assessment of the SpamThru Trojan, which brings along a copy of Kaspersky AntiVirus for WinGate to scan for and delete rival malware on a victim's system.

"With a name like SpamThru..."

Spam has not been truly about blasting millions of messages into inboxes for some time. It's about criminal activity and the ability to make a lot of money by being careful about how a piece of malware has been coded.

Unlike the 1970s where the fate of a rival Mafioso would be a spray of bullets over a plate of veal parmigiana, the SpamThru Trojan wields antivirus software to eliminate competitors on a system.

That's one of the activities going on with the SpamThru Trojan, according to SecureWorks. A recent post by Joe Stewart at the company's Research Center site discussed SpamThru. The malware has so much going on that it should be the focus of criminal investigations.

SpamThru takes a new angle on controlling a system and shutting out other criminal software from operating on the compromised PC:

Like many viruses and trojans, SpamThru attempts to prevent installed anti-virus software from downloading updates by adding entries into the %sysdir%driversetchosts file pointing the AV update sites to the localhost address.

SpamThru takes the game to a new level, actually using an antivirus engine against potential rivals. At startup, SpamThru requests and loads a DLL from the control server. This DLL in turn downloads a pirated copy of Kaspersky AntiVirus for WinGate from the control server into a concealed directory on the infected system.

It patches the license signature check in-memory in the Kaspersky DLL in order to avoid having Kaspersky refuse to run due to an invalid or expired license. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation. Any other malware found on the system is then set up to be deleted by Windows at the next reboot.

As they say on the late-night TV commercials, "Wait, there's more." Stewart noted that each SpamThru client also serves as a spam engine. It downloads spam templates from a remote server, and the templates are encrypted with the current standard in encryption, AES (Rijndael).

"The complexity and scope of the project rivals some commercial software," said Stewart. "Clearly the spammers have made quite an investment in infrastructure in order to maintain their level of income."

---
Tag: SpamThru Trojan

Add to

Del.icio.us |

Digg |

Yahoo! My Web |

Furl

Bookmark SecurityProNews -

About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.

More insider_reports_insider Articles

Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Featured On:

article resources

WebProWorld.com

•	Get in-touch with industry experts and leaders
•	Post your site for review by expert and peers
•	Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com


Titan Quest Forum The #1 Titan Quest forum
Halo 3 Forum The best Halo, Halo 2, Halo 3 forum
Nintendo Wii Nintendo Wii news and views
Mac Software The best in OS X freeware
Graphics Forum Your source for graphic tutorials