Security experts have discovered new spambot software that installs its own antivirus scanner to eliminate competition, alongside a number of other sophisticated features.

Download new anti spyware software wich removes all adware and spyware.

SecureWorks has described the Trojan, which it calls SpamThru, in detail. Others vendors have come up with different names for the software. One of the signs of its sophistication though is that few antivirus scanners are aware of it, SecureWorks said.

“SpamThru is a money-making operation, and the author takes great care to make sure that detection by the major vendors is avoided by frequently updating the code,” said SecureWorks’ Joe Stewart in the company’s analysis.

SpamThru is a Trojan that turns a system into part of a network of bots designed to send out spam, a type of operation that’s been around for several years. While the Trojan’s network doesn’t seem especially large so far - at a couple of thousand of bots - SpamThru shows that criminals are now able to treat spam software development just like any other commercial development endeavor, Stewart said.

“The complexity and scope of the project rivals some commercial software,” he wrote. “Clearly the spammers have made quite an investment in infrastructure in order to maintain their level of income.” The company has come across previous Trojans that attempt to switch off other malware, in order to maximize system resources, but SpamThru installs a pirated version of Kaspersky AntiVirus for WinGate, customized to skip files known to be part of SpamThru itself, naturally.

“It patches the license signature check in-memory in the Kaspersky DLL in order to avoid having Kaspersky refuse to run due to an invalid or expired license,” Stewart wrote. It uses a custom peer-to-peer protocol to control communication with the network, which makes the bot network harder to kill. “Control is still maintained by a central server, but in case the control server is shut down, the spammer can update the rest of the peers with the location of a new control server, as long as he/she controls at least one peer,” Stewart wrote.

Each client has its own spam engine, creating spam from a template that’s transmitted using AES encryption to avoid giving access to competing spammers, SecureWorks said.

Veteran malware researcher Joe Stewart was fairly sure he’d seen it all until he started poking at the SpamThru Trojan—a piece of malware designed to send spam from an infected computer.

The Trojan, which uses peer-to-peer technology to send commands to hijacked computers, has been fitted with its own anti-virus scanner—a level of complexity and sophistication that rivals some commercial software.

“This the first time I’ve seen this done. [It] gets points for originality,” says Stewart, senior security researcher at SecureWorks, in Atlanta, Ga.

“It is simply to keep all the system resources for themselves—if they have to compete with, say, a mass-mailer virus, it really puts a damper on how much spam they can send,” he added.

Most viruses and Trojans already attempt to block anti-virus software from downloading updates by tweaking hosts file to the anti-virus update sites to the localhost address.

Malicious hackers battling for control over an infected system have also removed competing malware by killing processes, removing registry keys, or setting up mutexes that fool the other malware into thinking it is already running and then exiting at start.

But, as Stewart discovered during his analysis, SpamThru takes the game to a new level, actually using an anti-virus engine against potential rivals.

At start-up, the Trojan requests and loads a DLL from the author’s command-and-control server.

This then downloads a pirated copy of Kaspersky AntiVirus for WinGate into a concealed directory on the infected system.

It patches the license signature check in-memory in the Kaspersky DLL to avoid having Kaspersky refuse to run due to an invalid or expired license, Stewart said.

Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation.

“Any other malware found on the system is then set up to be deleted by Windows at the next reboot,” he added.

At first, Stewart said he was confused about the purpose of the Kaspersky anti-virus scanner.

“I theorized at first that distributed scanning and morphing of the code before sending the updates via P2P would be a clever way to evade detection indefinitely,” he said, but it wasn’t until he looked closely at the way rival malware files were removed that he realized this was a highly sophisticated operation working hard to make full use of stolen bandwidth for spam runs.

Stewart also found SpamThru using a clever command-and control structure to avoid shutdown.

The Trojan uses a custom P2P protocol to share information with other peers—including the IP addresses and ports and software version of the control server.

“Control is still maintained by a central server, but in case the control server is shut down, the spammer can update the rest of the peers with the location of a new control server, as long as he/she controls at least one peer,” he said.

Stewart found that the network generally consists of one control server (running multiple peer-nets on different ports), several template servers, and around 500 peers per port.

There appears to be a limit to how many peers each port can effectively control, as the overhead in sharing information between hosts is fairly large, he added.

“The estimated number of infected hosts connected to the one control server we looked at was between one and two thousand across all open ports,” Stewart added.

The operation uses template-based spam, setting up a system where each SpamThru client is its own spam engine, downloading a template containing the spam, random phrases to use as hash-busters, random “from” names, and a list of several hundred e-mail addresses to send advertising.

Microsoft’s Vista (see also Vista Downloads) is expected to ship early next year, but companies shouldn’t even think about deploying the new operating system until well into 2008, Gartner analyst Michael Silver says.

Speaking to several hundred IT executives at the Gartner Symposium/ITExpo, Silver said companies need a good 12 to 18 months to plan, test and pilot Vista before they move to a full-blown rollout. He added that virtually every company will migrate to Vista eventually, simply because soon or later they’ll have to.

But he said that there also are attractive new features in Vista, including built-in antispyware protection and data encryption.

Silver said the decision on when to move to Vista depends on what operating system the company is using. Companies running Windows 2000 should start planning and budgeting immediately for a Vista rollout in 2008. Companies running XP should wait until it’s time for a regular hardware refresh, and deploy Vista on the new hardware. If that means rolling out Vista in stages, as different hardware ages out, that’s fine, Silver said.

He recommended rolling out Microsoft Office all at once, however, because of the training that will be required to acquaint users with the new applications.The new version of Office also is expected to ship next year, but Silver recommended companies not deploy Office until they deploy Vista.

Silver said Vista will have some exciting new features, including PDF creation, XML-based document formats and improved collaboration tools.

See also: Microsoft Antivirus

The Anti Spyware Coalition, whose members include Microsoft , Symantec, Computer Associates, McAfee, AOL and Yahoo (all actib member of anti spyware coalition), said on Thursday that it has finalized its spyware detection guidelines. The final version takes into account public comments on a proposed version introduced in October.

Spyware and adware have become widely despised for their sneaky distribution tactics, unauthorized data gathering and tying-up of computer processing power. Although adware makers say there are legitimate uses for their programs, an entire anti spyware market has been spawned to combat the stuff.

The Anti Spyware Coalition’s guidelines, or risk model description, aim to provide a common way to classify spyware, based on risks a piece of software poses to consumers. They also suggest ways to handle software, based on those risk levels.

Among the behaviors the group considers high-risk are programs that replicate themselves via mass e-mails, worms and viruses. Also, programs that install themselves without a user’s permission or knowledge, via a security exploit, are also deemed high-risk, as are programs that intercept e-mail or instant messages without user consent, transmit personally identifiable data, or change security settings.

The coalition of anti spyware hopes the final guidelines, which have changed little from the proposed version, will lead to better anti-spyware products. To that end, Cybertrust, through its ICSA Labs unit, is planning to certify products that meet the guidelines. Consumers should see the first products with its anti-spyware seal of approval within the next few months, the IT security and risk management company said.

Portals get together on anti-spyware standard

DECEMBER 13, 2005

AN anti-spyware initiative backed by internet portals Yahoo and AOL will certify downloadable software as consumer friendly and non-invasive.

Under the program, developers who want to obtain certification will have to prove their anti-spyware can be easily removed from computers once installed.
TRUSTe, an organisation that certifies and monitors website privacy and email practices for businesses, will rely on testing by two outside labs for the vetting on anti-spyware . It did not name the labs.

Developers earning TRUSTe’s certification will not be permitted to promote that fact, executive director Fran Maier says.

Rather, TRUSTe will issue a “white list” of trusted programs that partners Yahoo, America Online, CNET Networks and other web publishers may use in deciding whose software they wish to ally with or distribute.

The Trusted Download Program is to begin early next year. TRUSTe may suspend or revoke certifications for violations, and lost certification may mean revenue loss for software developers from lost distribution channels on major websites, the program’s backers say.

“It creates market incentives that will change how consumers see software,” Yahoo product justice vice-president Doug Leeds says.

Backers of the initiative say consumers would not benefit much from a system in which good anti-spyware products simply display seals of approval. “They’re looking for us to do it for them,” Leeds says.

Yahoo could use the certifications to decide whether it wishes to make its search results available to other companies as a component of their toolbars and other anti-spyware software products, he says.

For its part, AOL could use the certification to decide where to place ads and which ads to accept, AOL integrity assurance vice-president Jules Polonetsky says. For example, before advertising AOL’s Moviefone website through third-party software that generates ads, AOL could check to make sure the software’s developer meets TRUSTe’s standards.

Yahoo is among the major internet companies that have been accused in the past of benefiting from adware companies with questionable installation practices.

Leeds says applications and the way they are distributed change so often that companies such as Yahoo have difficulty keeping up. A certification program, he says, will allow Yahoo to keep monitoring a partner’s practices.

CNET is not planning to require certification for software distributed from its Download.com site, but it is one factor that will be considered, Download.com senior vice-president Scott Arpajian says.

Other companies backing the initiative are internet service provider Verizon Communications and anti-spyware vendor Computer Associates.

AP

The Australian