Sophisticated spam Trojan unmatched

Veteran security expert Joe Stewart thinks he has embraced malware until he comes across SpamThru Trojan, a malicious program designed to spread spam from infected computers.

Using P2P technology to send commands to hijacked PCs, the Trojan is equipped with a separate virus scanner, with complexity and sophistication on par with the mainstream antivirus scanning software.

" This is the first time I've encountered this phenomenon, " Stewart exclaimed. He is currently working as a senior security expert at SecureWorks.

" The purpose of this virus scanner is simply to protect every Trojan's" resources ", in case it has to compete with a mass mailing virus, it will eliminate obnoxious opponents. ".

Sophisticated spam Trojan unmatched Picture 1 Source: codycafe The vast majority of viruses and Trojans are currently only trying to block antivirus software from downloading updated versions but fighting against rival malware this way is "rare to find", if not said the first case. SpamThru has lifted the game to a new level - using an entire antivirus tool to destroy the "party".

However, its motivation is not difficult to understand at all. Computers have only one hacker who wants to gain control. Of course, hackers will fight with each other, find ways to destroy other malware by deleting the registry key or tricking other malware into thinking . they are already running.

Smart and cheeky

Initially, the Trojan will load a DLL from the hacker-controlled central server. After that, it will download the computer infected with a pirated copy of Kaspersky Antivirus. 10 minutes after downloading the DLL, it starts scanning the system to kill other malware and ignores "home" files.

" Any malware detected will be deleted by Windows in the next reboot, " Stewart explained. He himself was initially confused with the purpose of hackers when installing Kaspersky virus scanning software.

" I just thought it was disguising itself smartly. But it was not until I analyzed it more carefully that I realized a very sophisticated mechanism that hackers thought of to capture the bandwidth for his spam ".

And yet, SpamThru uses an extremely clever command and control mechanism to avoid being shut down. It uses a customized P2P protocol to share information with other peers, including the IP address, ports and software version of the control server.

In case the control server is turned off, the spammer will be able to update all this information to a new control server in the peer network.

Spam messages spread by SpamThru are based on templates available, but with random phrases in content, random sender names. These templates are all encrypted and use a special authentication method, preventing others from downloading.

And yet, it can also change the width and height of GIF images to bypass filters.

Trong Cam