SpamThru, a trojan that caught the attention of researchers at SecureWorks, uses a variety of techniques to disguise itself from anti-virus technology, not the least of which is its ability to use anti-virus software to disable other malware.
Malware attempting to avoid detection from security software is nothing new, according to SecureWorks research analysis penned by Joe Stewart, but the use of anti-virus tools to do so is.
"SpamThru takes the game to a new level, actually using an anti-virus engine against potential rivals," he said, referring to the trojan's use of a pirated copy of Kaspersky Anti-Virus software to scan a compromised system for other malware.
SpamThru, like numerous viruses found this year, is designed to send out spam messages from an infected PC. However, SpamThru also uses a custom p2p protocol to share information with other infected machines, including the IP addresses, ports and software versions of the control server and other peer computers, according to SecureWorks' advisory.
The network of infected PCs is run by a control server. If that server is taken down, the spammer can update peers with the location of a new control server using p2p technology.
Stewart told SCMagazine.com today that its use of p2p technology is what makes the trojan unique.
"What (use of anti-virus technology) is interesting to most people because of the fact that viruses aren't well known for using anti-virus," he said. "But what's actually more fascinating is the way it uses its own p2p protocol. We've seen other kinds that use p2p, but this is the first that uses it in a spam-pumping operation."
Craig Schmugar, virus research manager at McAfee Avert Labs, told SCMagazine.com today that he does not see variations of the trojan being produced en masse.
"We've seen threats use p2p in the past, but to my mind, this is the first time anti-virus has been used to clean out the competition and delete files," he said. "It's not such a generic technique. One other thing it tries to do is to modify the host file to disable anti-virus updates from happening - and seen here, it's kind of clunky."
"Prevalence isn't really the main concern here, the technology is," he added.
Ron O'Brien, senior security analyst for Sophos, told SCMagazine.com today that the use of anti-virus solutions for malware's own benefit is the latest way spammers are avoiding security vendors.
"The creation of malware to (use a trojan to distribute spam) isn't new, but quite frankly, as soon as we come up with new ways of blocking spam, spammers come up with new ways (of sending it). It's the inevitable reinvesting in your product," he said. "It's using a specific security company in order to disable the existing security."
SpamThru trojan uses p2p, anti-virus solutions to wipe out competitors, spread spam
By Frank Washkuch on Oct 23, 2006 7:36PM