Trojan uses hacked antivirus code

A new 'spambot' virus is doing the rounds that is able to masquerade as an anti-virus scanner to eliminate competition from other malware.

Having infected the host system and acted to protect itself, it goes about its task of circulating spam, warn experts.

The malware, named SpamThru, is practically undetectable by other virus scanners as its code is constantly mutating. Security vendor SecureWorks, which was one of the first to identify the threat, says that SpamThru is a Trojan that converts a system into an army of bots designed to spread unwanted email.

"Detection by AV vendors is sparse," said Joe Stewart, a security expert with vendor SecureWorks.

"But that's to be expected given that SpamThru is a money-making operation, and the author takes great care to make sure that detection by the major vendors is avoided by frequently updating the code.

Security analysts say that SpamThru is a token of how sophisticated malware writers are becoming, and that they are treating their work as though it were a normal commercial activity.

"The complexity and scope of the project rivals some commercial software," said Stewart. "Clearly the spammers have made quite an investment in infrastructure in order to maintain their level of income."

SpamThru works by installing a counterfeit copy of Kaspersky AntiVirus, which disables other software on the system that could harm its chances of success.

Stewart says it uses a custom peer-to-peer protocol to control communication with the network, which makes it harder to eradicate.

He says malware that blocks user access to regular anti-virus software is not unknown, but believes this is the first virus that comes complete with its own anti-virus protection.

Major security software vendors have now issued a malware signature and users are urged to update their scanning engines.

Email to a friend

Print this page