SpamThru. Parasite with built-in antivirus

No, it’s not a joke. And this time it’s even not corrupt security product. Modern malware comes with integrated antivirus tools – real, perfectly working software. Why a regular parasite should need it? Well, if that parasite is a sophisticated project, which complexity rivals some commercial products, and its functionality makes its authors a lot of money, then why not?

You are probably confused by now, so let’s shed light on this mysterious SpamThru.

A few days ago, Joe Stewart, veteran malware researcher at the SecureWorks company providing managed security services, has stumbled upon a trojan, which main functionality is using the infected system for sending out a large amount of spam e-mails. From the first sight, that trojan seemed to be a well-known pest from the family of SpamThru – trojans with the same functionality. However, one thing was different. The new threat secetly downloaded a pirated copy of Kaspersky Anti-Virus for WinGate.

Let’s make a little digression now. A lot of different spyware and viral parasites attempt to disable installed antiviruses, spyware removers, firewalls and other security-related applications. Some of them also detect and cripple competing threats in order to gain control over the entire system and use all its resources without having to share them with other pests, some of which are dumb enough to quickly reveal their presence.

Typical parasites with such functionality usually disable only relatively simple threats in order to avoid detection. However the new SpamThru trojan has another aim. It works as a part of a huge botnet, which usually consists of between one and two thousand infected machines. This botnet sends out a massive amount of spam, which makes really big bucks for trojan authors. But keeping such a botnet altogether is a difficult task where the time factor is especially important. Infected computers get eventually cleaned up, just sooner or later, so the time period when SpamThru is still there must be used with the maximum output. That’s why the parasite downloads Kaspersky, installs to the system and sweeps out all the malware except for itself leaving the system as clean and fast as possible.

It should be noted that SpamThru, although using innovative techniques, actually is quite easy to detect and remove. It uses only one or few executable files and several registry keys in classic locations. There are no rootkits or special system drivers at all. Of course, SpamThru authors could just work hard improving the parasite. However, as statistics show, each new parasite gets a removal tool sooner or later. Downloading a cracked antivirus is much easier today.

As people say, if your computer is running slowly and crashes too often, then you most likely have spyware or viruses. But even if your system runs smoothly and there are no signs of infection, don’t be so sure that you are clean. Maybe it’s a parasite with built-in antivirus that creates an illusion.

Like us on Facebook