Network News

X My Profile
View More Activity

New Bug Installs Legit Anti-Virus Program

Are you using a Microsoft Windows machine to cruise the Web but don't have up-to-date anti-virus software installed? No worries: A sophisticated new breed of malware identified this week will silently download and install a legitimate anti-virus program on your computer if it manages to sneak its way onto your machine.

But this isn't a good thing, as the malware is really intended to make it easier for spammers to do their business. For several years now, the top method for sending spam has been to infect Microsoft Windows machines with malware that turns the PCs into "zombies" (or "bots") that bad guys can use to anonymously relay junk e-mail. Tons of malware in circulation today will actively search for and remove other hacking programs that may have already set up shop on infected computers. The goal for the spammers is efficiency -- they want to ensure their bot networks are not cluttered with competing malware that might otherwise slow the machines to a crawl and alert the victims to a problem.

A new class of bot programs seeks to accomplish that task by downloading and installing a pirated version of Kaspersky Anti-virus, according to research published by Joe Stewart, a researcher for Atlanta-based SecureWorks.

"Although we've seen automated spam networks set up by malware before ... this is one of the more sophisticated efforts," Stewart wrote. "The complexity and scope of the project rivals some commercial software. Clearly the spammers have made quite an investment in infrastructure in order to maintain their level of income."

Stewart says the invader (which he dubbed "Spamthru" because the few anti-virus tools that did detect it as malicious assigned it a nondescriptive, generic name) also updates itself using a custom-made peer-to-peer (P2P) method similar to those employed by popular file-trading networks. Most bots are configured to connect to a central online chat or Web server that attackers can use to control the activities of infected PCs, but those control servers can be a single point of failure for the bad guys if the good guys succeed in convincing an Internet service provider to shut them down.

By having P2P as a back-up, spammers can redirect zombie machines to a new control server if the master server is shuttered. All it takes is simply sending a command out to one of the infected PCs and having it relayed to the rest of the drone army.

This is hardly the first time a bot program has tried to implement P2P. Others, such as the Phatbot family of malware, include built-in file-sharing capabilities, but the networks almost always choke after more than a few dozen infected machines try to exchange information. According to Stewart, the new bot can accommodate communications between several thousand PCs at once.

People who spend a lot of time tracking down and combating botnets have long feared that P2P would become the normal mode of communications between infected PCs, and that spammers also would encrypt the traffic to make it difficult for the good guys to gather intelligence on botnet operations. While "Spamthru" does include encryption, the data-scrambling technique is used to prevent investigators from downloading the HTML code that each infected host is directed to send out in their spam runs.

Should the spammers decide to encrypt all of the traffic traveling over a botnet's P2P channels, it could soon become a lot tougher for botnet hunters like ChangeIP.com President Sam Norris, a botnet hunter I interviewed earlier this year for a Washington Post Magazine article.

In that piece, I wrote: "Norris shares that fear and worries that more botmasters will begin to exploit emerging peer-to-peer communication technologies of the sort that power controversial music- and movie-sharing networks like Kazaa and LimeWire. Such networks would allow enslaved computers to communicate instructions and share software updates among one other, so that they would no longer depend on orders from the master servers that Norris and other bot hunters search out and disable every day.

"'When P2P becomes the norm with these bots,'" Norris says, 'that's when I call it quits with this botnet stuff, because, at that point, it will be pretty much out of my hands.'"

By Brian Krebs  |  October 23, 2006; 8:39 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Attacks, Flaw Reports Mar IE 7 Release
Next: Microsoft Delays Service Pack 3 Again

No comments have been posted to this entry.

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company