×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Trojan Installs Anti-Virus, Removes Other Malware

Zonk posted more than 7 years ago | from the clever-little-monkey dept.

202

An anonymous reader writes "SpamThru takes the game to a new level. The new virus uses an anti-virus engine to remove potential 'rival' infectious code." From the article: "At start-up, the Trojan requests and loads a DLL from the author's command-and-control server. This then downloads a pirated copy of Kaspersky AntiVirus for WinGate into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL to avoid having Kaspersky refuse to run due to an invalid or expired license, Stewart said. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

202 comments

Hmm.. (4, Funny)

Anonymous Coward | more than 7 years ago | (#16527245)

It sounds a little too intelligent to have been designed by humans.

Cyclons? I hear they are hot!

Re:Hmm.. (5, Funny)

Aladrin (926209) | more than 7 years ago | (#16527281)

Cylons, I think you mean. And yeah, there's 2 or 3 that are pretty awesome. Nothing like having sextuplets for... well, sex.

But I do agree that this guy is either extremely forward thinking, or a madman. His own virus could prevent any further viruses he writes... That's... Stupid. :D

I was immediately outraged at the illegal install of software, but then I remembered the virus itself was illegal anyhow, so it didn't much matter. It's like murdering everyone in a church on Sunday, and then spraypainting graffiti on the walls. Somehow, it's just not that much worse.

Re:Hmm.. (4, Funny)

Dunbal (464142) | more than 7 years ago | (#16527613)

It's like murdering everyone in a church on Sunday, and then spraypainting graffiti on the walls.

      Why spraypaint when you can use all the blood - it just look so much cooler, uh, wait...

But make sure you do a good job! (0)

Anonymous Coward | more than 7 years ago | (#16528085)

Hmmm, maybe "good job" isn't the right phrase, but anyhow, you know what happened in Kill Bill! You don't want that happening to you!

Re:Hmm.. (1)

Doctor Crumb (737936) | more than 7 years ago | (#16528347)

Depending on his method of detecting/ignoring his own virus; if done right, he could be looking for a signature that his future virii share.

Potential for good, and evil (5, Funny)

Anonymous Coward | more than 7 years ago | (#16527255)

Wake me up when it also installs linux.

Re:Potential for good, and evil (1)

Jessta (666101) | more than 7 years ago | (#16527963)

Pretty much evil. First it's malicious software that allows a remote user to command your machine. Second it install anti-virus software that chews up computing resources with out doing anything useful.

Re:Potential for good, and evil (4, Interesting)

joe 155 (937621) | more than 7 years ago | (#16528071)

"Second it install anti-virus software that chews up computing resources with out doing anything useful."

I wouldn't say that. I must say that in principle I am against all software which you can't control and know the nature of, but if you've got infected by this then you may well have got infected by a whole host of other viruses - so this seems like a good thing.

Re:Potential for good, and evil (4, Insightful)

Jessta (666101) | more than 7 years ago | (#16528151)

Removing other malicious software doesn't make the machine at all secure. It just eventually frees up computing resources to the malicious software controller has a more efficient botnet.

Re:Potential for good, and evil (3, Interesting)

joe 155 (937621) | more than 7 years ago | (#16528197)

Indeed, it isn't secure, and in fact it'll still be part of a bot net (as I understand it), but the point I was making was that this is likely to have happened anyway - these computers are already as "owned" as they are likely to get. So a trade off between being "owned" by someone who wants to steal your bank data, your passwords, and send out spam, or just being "owned" by someone who wants to do Denial of Service attakcs and send spam

If it's a choice i'll take the latter... Of course if there was an option which was open-source and didn't have it's own malware then maybe we'd really be on to a winner.

Re:Potential for good, and evil (3, Informative)

DestinyBWL (169332) | more than 7 years ago | (#16528485)

It "seems" like a good thing, but there are three major reasons why it isn't:

A) It does so without you being aware.
B) It illegally installs software that you do not have a license for.
C) Most modern viruses and trojans are so complex that the only way to remove them is by disabling system restore and running thorough scans in safe mode and/or boot time scans.

So not only do you have no control over it and become an "unexpected software pirate", but you likely don't even get rid of the other trojans/viruses on your computer.

Plug: I have a step-by-step process writeup intended for the average joe on removing viruses at http://www.modemhelp.net/antivirus/ [modemhelp.net]

--
Bradford Liedel
ModemHelp.Net

Re:Potential for good, and evil (5, Funny)

SmurfButcher Bob (313810) | more than 7 years ago | (#16528415)

> Second it install anti-virus software that chews up computing resources with out doing anything useful.

If *that* were true, it would have installed NAV.

*cough*

A virus that removes DRM ... good or bad? (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16528621)

>> It patches the license signature check in-memory in the Kaspersky DLL to avoid having Kaspersky refuse to run due to an invalid or expired license.

Well if it weren't for the fact that it also hijacks your box, that might be seen as very useful functionality by many!

Taking this to a new level, I forsee white hats sending their own viruses out into the wild, which then battle it out with "bad" viruses and also exterminate other evils of today ... DRM and license locks included.

It might even help fight the RIAA extortion racket if P2P viruses were doing uploads. When your machine has been infected by a third party, then culpability by the machine owner is no longer certain.

This is great! (1)

rzei (622725) | more than 7 years ago | (#16527271)

Hopefully we will see a new "virus" war, hasn't it been quite a while since the last one?

(Or maybe I have just missed it, partly because at least I'm not aware of running any viruses on my Kubuntu system. Though, I guess most of people whose computers host viruses don't have the slightest clue it even being possible. Maybe I should at least check for rootkits :) )

Re:This is great! (5, Funny)

Mikya (901578) | more than 7 years ago | (#16527311)

Hopefully we will see a new "virus" war, hasn't it been quite a while since the last one?

There's a reason for all those extra cores in the upcoming processors. :)

Re:This is great! (5, Funny)

StarfishOne (756076) | more than 7 years ago | (#16527915)

Graphical Processing Unit, Physics Processing Unit,... Virus Processing Unit? :)

It should be noted though, that a "Virus Accelerator Board" is not a very good name from a marketing perspective! :P

Re:This is great! (1)

Abreu (173023) | more than 7 years ago | (#16528483)

It should be noted though, that a "Virus Accelerator Board" is not a very good name from a marketing perspective! :P

You just have to put a nice marketing spin on the name... Like "Internet App Accelerator" or "Web code facilitator", etc.

Re:This is great! (4, Funny)

Ruff_ilb (769396) | more than 7 years ago | (#16528525)

Viral marketing?

Re:This is great! (1)

StarfishOne (756076) | more than 7 years ago | (#16528635)

Touché, a nicely found pun! :)

One can wonder though if the viral marketing of virus accelerator boards improves by using their own virus accelerator boards in an attempt to accelerate their own viral marketing. :P

Hmm.. can the Singularity still be avoided? :D

Re:This is great! (4, Interesting)

Khabok (940349) | more than 7 years ago | (#16528643)

How about a dedicated antivirus board? I'm on a Mac so I dunno, but everyone around me is constantly complaining about the CPU load for antivirus software.

Imagine, then, a cheap processor (an Intel embedded-grade unit, for instance, running about 100-150 mhz) connecting to a new slot on the motherboard that runs background virus scans while your HD(s) is(are) idle. Got sensitive data or a long vulnerability list? Drop fifty, hundred bucks and upgrade the card.

CPU load isn't the only reason for this either. Vista is trying to kill off antivirus software, remember? This could be a chance for hardware manufacturers to get McAfee, Norton, Symantec, and all them good ol' boys right back into the ball-game.

Dell? Are you listening? ...Beuller?

Re:This is great! (0)

Anonymous Coward | more than 7 years ago | (#16528219)

There's a reason for all those extra cores in the upcoming processors. :)


And the reason is for spammers to play real-life Core Wars [wikipedia.org]?

Re:This is great! (5, Interesting)

UPi (137083) | more than 7 years ago | (#16527313)

I was wondering how long before this actually happened. Back when my web server was under a barrage of malformed requests from infected IIS installations, I had the urge to create a script which would retaliate with exploiting, gaining access and patching the zombified computer... or at least, shut it down.

While I never actually did this, mostly due to lack of time and for fear of possible lawsuit, it was certainly possible. So now it's a reality, thanks to... whoever. I think it's a Good Thing.

Re:This is great! (4, Insightful)

raduf (307723) | more than 7 years ago | (#16527545)

How long will it be before somebody lobotomizes this to just install the anti-virus? Could be a new age in the spam wars...

Re:This is great! (5, Insightful)

risk one (1013529) | more than 7 years ago | (#16527679)

I think that in the blaster days there was a copycat worm that downloaded the microsoft anti-blaster patch and installed it (in fact I know there was, because I got 'hit' with it).

It's a nice way to fight zombies, and it might go some way to doing what legal/conventional means have failed to do by using the same viral nature of the original malware to clean the internet up. (While still trying to copy itself from cleaned pc's). The only problem with this is (besides the ethical bit about fighting fire with fire, which I don't really care about) is that the users won't know about it.

Getting infected to the point of having to have somebody clean your system up and install ativirus/firewall/antispyware and a safe browser and email client is a learning experience about how dangerous the internet is these days. If people have their system cleaned up without realizing it, the system may be clean but the people are none the wiser. The best thing, I think would be to install free (as in beer) software, hiding it just until all scans are done and the system has been cleaned and protected, and then, informing the user in some clear way what has happened and what they can do about preventing it in the future, and that they should probably get their system checked out by a human. It would have to do so in some way that doesn't get mistaken for a web-ad, like replacing the wallpaper with the message.

The problem with this scheme of course is that once they get their machine cleaned out the machine won't be spreading the worm anymore and it will lose out to other worms that have the luxury of staying completely still. Maybe if you let the worm hide for two weeks, and then inform the user...

Re:This is great! (5, Informative)

scottv67 (731709) | more than 7 years ago | (#16528039)

I think that in the blaster days there was a copycat worm that downloaded the microsoft anti-blaster patch and installed it...

That would be Welchia:
http://www.symantec.com/security_response/writeup. jsp?docid=2003-081815-2308-99 [symantec.com]

...(in fact I know there was, because I got 'hit' with it).

The only bad thing about Welchia (aside from it installing patches on your system without your permission) was that it did not throttle its traffic when it came to looking for new machines to patch. It flooded or swamped network segments as it probed new machines to work on. If Welchia had been a little more subtle with its scanning, Welchia's presence would have been less of an issue.

Re:This is great! (1)

SScorpio (595836) | more than 7 years ago | (#16528281)

It might have been Code Red rather than blaster, but wasn't there a Perl script that was placed on a webserver that would be triggered by a Code Red/Blaster attacked and then it would perform the patch only on the machine it was attacked by? This was year ago though, and my mind is fuzzy so who knows.

Re:This is great! (3, Insightful)

raduf (307723) | more than 7 years ago | (#16528573)

The only problem with this approach is that it's illegal. And not just in the sense it's "not nice", it's actually risky: one machine in a thousand may get broken, and the owner can sue you. So anything you do you do as a criminal, meaning both risk and absolutely no recognition. I don't think many would do something as difficult for free and completely anonymous. People are just not that altruistic.

The official approach, Automatic Updates, is almost as good. Unfortunately Microsoft's main motivation is to make money, and working software is only a side effect (I don't find anything evil in that btw, MS has done more for IT then any other company). So the system isn't perfect, updates may be late or Automatic Updates may not be enabled. The "virus" way is better because if affects exactly the kind of targets normal trojans do. Bigger the disease, better the cure. It's almost biological in nature.

The problem with this scheme of course is that once they get their machine cleaned out the machine won't be spreading the worm anymore and it will lose out to other worms that have the luxury of staying completely still. Maybe if you let the worm hide for two weeks, and then inform the user...

Why? If the machine gets cleaned means it won't be infected anymore, but the existing software can function very well. That's why a compromised machine is compromised forever: you never know what may be lurking in there.

Re:This is great! (0)

Anonymous Coward | more than 7 years ago | (#16527811)

And I had always thought that the final war that would decimate mankind would be the war between the
toilet paper-overs and the toilet paper-unders...

Oddly enough, today's post was brought to you by the kaptchka 'perfumed'

Re:This is great! (1)

Hallucienda (893346) | more than 7 years ago | (#16527751)

How's it a good thing when it takes control of the pc and spams everyone to death. all it is doing is eliminating any competition?!

Re:This is great! (3, Interesting)

Tom (822) | more than 7 years ago | (#16527831)

Back in the days I actually installed this on my webserver. It was only after I had it running for a while that the number of exploited windos servers attacking me dropped. I'm very sure that there is a kind of ground layer of infected PCs and servers that will never be cleaned up by their admins.

In fact, I think there's a much larger percentage where something-bad-and-visible-happening-to-the-machine is the most reliable way to get its clueless idiot users to reinstall, activate the firewall and/or run a damn virus scanner.

Remember: 10 years ago, the script kiddies taking over your machine wanted to shut it down, just to show you who's boss. Today, the organized criminals taking over yourr machine want it to stay up, so they can push as much spam out as possible.

Re:This is great! (3, Interesting)

v1 (525388) | more than 7 years ago | (#16528423)

You would think the authors of the "botnet takeover" viruses would make them such that once they gained control of a computer, that they would do just this... patch the vulnerability that they used to get in in the first place, to prevent "compettion" on the owned system?

Re:This is great! (1)

Abreu (173023) | more than 7 years ago | (#16528521)

I remember reading somewhere (in Fiction) about some geneticist that was working in an altered HIV virus that destroyed the original HIV virus and malignant cells...

Basically a sexually transmitted AIDS vaccine...

Re:This is great! (4, Funny)

iMouse (963104) | more than 7 years ago | (#16527611)

Wait! I have the answer! Just install WinAntiVirus and WinAntiSpyware Pro 2006! It'll download the Trojan, you pay your $24 or whatever, and it all disappears!

Wait...what's that "annoying as hell" flashing icon in my taskbar for...?

Re:This is great! (1)

LordMaxxon (898539) | more than 7 years ago | (#16527869)

I seem to remember reading something like this once... CS students would design programs that would fight within a controlled server. The robotour and droidbattles games for Linux are based on this idea.

Re:This is great! (0)

Anonymous Coward | more than 7 years ago | (#16528171)

You're right...my concern when running Linux is what I might be unknowingly passing on to friends and family who are windows users. For that reason, I will rarely include an attachment in my emails and try not to forward anything I receive. I do check routinely for rootkits, but must admit I don't normally check my outgoing mail with clamav as I should.

Re:This is great! (4, Informative)

joe 155 (937621) | more than 7 years ago | (#16528309)

"Maybe I should at least check for rootkits"

You seem to say that as a joke, but I will answer seriously - you should. Just because you use Linux doesn't mean that you won't get rootkit'd... I'm not sure about Kubuntu, but with fedora it comes as a default with SSH runing and allowing root login - if you don't stop that /var/log/secure quickly gets longer than your arm and sooner or later someone will be in... and the rootkits are never far behind.

You should put something like RKhunter on a clean install ideally so you can keep a check on whats going on. Also chkrootkit is quite good, although I find it a lot harder to read.

A wise move (5, Insightful)

Andy_R (114137) | more than 7 years ago | (#16527289)

Any system that is badly protected enough to get infected is probably already bogging down and in danger of the user getting it fixed. This is probably a very good strategy to improve the usefulness of the machine to the hijacker, and reduce the chances of the user doing anything about the infection. I'm surprised this hasn't happened before.

Re:A wise move (5, Interesting)

Pharmboy (216950) | more than 7 years ago | (#16527337)

Actually, I am waiting for the BSA to come in and sue the people whose machines were "infected" with this pirated version of Kaspersky AV software. The BSA poses a greater threat than the spywear that was removed.

User: "I didn't install it! I swear!"
BSA: "Yea right, it just installed itself...."

Re:A wise move (5, Funny)

jbourj (954426) | more than 7 years ago | (#16527385)

I can just see the rival spyware companies' lawsuit: "the users were never promted and asked if they wanted our product removed."

Re:A wise move (1)

TubeSteak (669689) | more than 7 years ago | (#16528561)

Ummm, unless your license/contract with the software mfg/seller says that the BSA can audit your boxen, you can safely tell the BSA to piss off.

The BSA has no authority to hassle you unless you give it to them.

(AFAIK)

Coming up next... (5, Interesting)

Kjella (173770) | more than 7 years ago | (#16527295)

...plenty other crapware removing that virus. Seeing how much of that crap can coexist on one machine, I imagine these people will be forced back in line. And I don't think anything like a "civil war" fought on user's computers will be good for the users either.

At least we know who knows who the operator is! (3, Insightful)

MavEtJu (241979) | more than 7 years ago | (#16527309)

During his analysis, Stewart found that SpamThru was being used to operate a spam-based pump-and-dump stock scheme.

Add one and one together, and you know who the operator of the botnet is.

Re:At least we know who knows who the operator is! (-1, Troll)

Anonymous Coward | more than 7 years ago | (#16527331)

SCO?

Re:At least we know who knows who the operator is! (2, Insightful)

raduf (307723) | more than 7 years ago | (#16527533)

I'm wondering if this is really an organisation's work. Stock schemes sound like the kind of think that doesn't require clients or large resources. Could be a lone programmer somewhere, making money on his own.

A Trojan that Installs Anti-Virus & removes ot (5, Funny)

Anonymous Coward | more than 7 years ago | (#16527321)

Malware is commonly known as the Norton Antivirus installer. ;)

Re:A Trojan that Installs Anti-Virus & removes (1)

MooUK (905450) | more than 7 years ago | (#16527403)

There are some worse things than Norton/Symmantec - and here I mean solely the antivirus; there is little worse than Norton's security suite as a whole.

Not that I'd ever use it given the choice.

Re:A Trojan that Installs Anti-Virus & removes (0)

Anonymous Coward | more than 7 years ago | (#16528381)

Consumes lots of bandwidth, and takes processor out of other processes,

uff... I thought that was the anticipated release of a "service pack 3" or "Windows Media Player 12".

Sounds like .. (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16527335)

an extreme way of removing Norton's Anti-Virus ??!!

Re:Sounds like .. (4, Funny)

Orgazmus (761208) | more than 7 years ago | (#16527705)

Please dont use Peter Norton's name in connection with Symantec's Anti-CPU Suite. Thank you

Re:Sounds like .. (2, Funny)

TheOtherChimeraTwin (697085) | more than 7 years ago | (#16528315)

Sorry, but The Geek Formerly Known As Peter sold his name along with his soul to the Symantec Overlords. He is now only known by the sequence 50696E6B205368697274.

Re:Sounds like .. (2, Interesting)

Fred_A (10934) | more than 7 years ago | (#16527987)

I don't believe there are any non extreme ways of getting rid of the damn thing. It has its little claws dug in deep and you have to bash it repeatedly on its ugly little head with a crowbar before it finally lets go (spewing gore everywhere).

I haven't had to uninstall it from friend's machines recently (so it might have gotten better, or worse) but I have fond memories of that thing. Reminded me of the headcrabs in HL2.

Darwin, Schmarwin (5, Funny)

CheeseburgerBrown (553703) | more than 7 years ago | (#16527339)

I know before too long they'll be some long and nearly interesting thread about the Darwinian loveliness manifest in this virus' competitive adaptation, but I think it instead provides a firm basis to identify the handiwork of Intelligent Design.

In other words, God spams.

He Is That He Is has simply moved on from meat-based proselytizing and entered the so-called Cyber Age, as was foreseen in Deuteronomy 4:20, Revelations 1:1415, and Glossary 36:D.

Re:Darwin, Schmarwin (0)

Anonymous Coward | more than 7 years ago | (#16527955)

Speak not of this unholy spam, for our god is manifest in spaghetti.

How can it have gotten to this stage? (0, Insightful)

Anonymous Coward | more than 7 years ago | (#16527341)

Spam is a Microsoft problem, they market software to users that are neither capable or responsible. It's annoying because those of us who can use computers and are willing to take responsibility will be marginalized by Microsoft's cure; TCPA.

This sounds good (1)

Ice Wewe (936718) | more than 7 years ago | (#16527371)

Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation.

... And this is a bad thing, why?

Re:This sounds good (3, Insightful)

MooUK (905450) | more than 7 years ago | (#16527427)

Because that's not the only thing it does. If it was, I'd definitely consider it a good thing to infect all those without up-to-date antivirus software with.

Re:This sounds good (3, Insightful)

dangitman (862676) | more than 7 years ago | (#16527453)

... And this is a bad thing, why?

Uhhh, because it installs its own malware? Why do you think it's a good thing to have some scam software installed on your machine?

Re:This sounds good (0)

Anonymous Coward | more than 7 years ago | (#16527631)

... And this is a bad thing, why?


Because it's unauthorized to do it?

Great Idea! (5, Funny)

CalSolt (999365) | more than 7 years ago | (#16527379)

I'm just waiting for Microsoft to release a virus that'll force everyone to run Automatic Update. Think of how many problems it would solve!

Re:Great Idea! (0)

Anonymous Coward | more than 7 years ago | (#16527817)

wouldnt that be wsus?

Re:Great Idea! (0)

Anonymous Coward | more than 7 years ago | (#16528429)

Uhh, they only just released one called "Genuine Advantage Notification Tool" that is designed to stop automatic updates.

This is really bad actually (4, Insightful)

majortom1981 (949402) | more than 7 years ago | (#16527413)

Why is evertybody saying this is a good thing.This could be very bad. A virus or any malware that disguises itself as an antivirus would not be detected by anti virus programs. ITs actually very clever. Your machine would be infected and you might not even know it. Especially if you normally run kapersky.

Re:This is really bad actually (2, Insightful)

badpazzword (991691) | more than 7 years ago | (#16527571)

A virus or any malware that disguises itself as an antivirus would not be detected by anti virus programs.
Good antivirus programs scans whatever you tell it to. If you tell them to ignore executables or use some sort of whitelisting, then we have a "User error. Replace the user and press any key to continue."

The know-it-all Geek's flexible ethics (2, Insightful)

westlake (615356) | more than 7 years ago | (#16528125)

Why is everybody saying this is a good thing.

It's a fair question.

Software that installs without the user's knowledge or consent is by definition malware.

Microsoft asks users to temporarily disable AV when installing IE7 because the installer makes complex changes to the Registry. The install can be trashed by something as simple as an out-of-date signature file.

Trouble shooting conflicts with AV software can be a nightmare for non-technical end users and Kaspersky is no exception: Kapersky Lab Forums > Protection for Home Users [kaspersky.com]

Where does that leave the user who doesn't know and cannot know that KAV is resident on his system?

Other information about this... (5, Informative)

Admin_Jason (1004461) | more than 7 years ago | (#16527451)

Naturally, this is a Windows specific little bugger. So, if you're running anything else, you should be okay. (Of course, the systems that us /.ers support are another story...) Sophos is the only vendor of the few big boys I searched that seems to have any info on this mal-ware with the "SpamThru" name. Of course, there are other variant names of this, so check with your vendor against these other possible iteratives:

* Backdoor.Win32.Agent.uu
* Spam-DComServ
* TROJ_AGENT.BOR

Removal instructions can also be found here [sophos.com]

Buy a Apple MacIntosh (3, Interesting)

macaroo (847109) | more than 7 years ago | (#16527461)

I sit here a happily run OSX 10.4.8 on my G4 powered Mac and laugh at the electronics and software Wars taking place in the MS World. I clean WIndows machines for a living an are not surprised at this development. Most machines can take a little malware infection, but are maintained when the owner can't boot anymore or the machine slows to a crawl.

Re:Buy a Apple MacIntosh (2, Interesting)

Admin_Jason (1004461) | more than 7 years ago | (#16527561)

Of course your Mac is safe, the OP article spoke to the Windows-specific nature of the trojan. Keep talking up the Mac though. More and more people are moving toward it, and I could see a day where trojans, ad-wares, spywares, and virus-writers start seeing the merit of engineering their wares toward the Mac OS. Hmmm...writing wares for an OS based on an open-sourced kernel...yeah, there's no danger in that [/sarcasm]

On a more serious note, please tell us you are speaking metaphorically about your laughter, as laughing at the resource which, by your own admission, provides you a job, does not paint you in the best of lights. Laughing at the plights of others is not only in bad taste, it certainly does nothing to boost the image of the rest of the tech world. We, as technically-minded people, should be trying to help and educate those who are not as adept with IT security. Rather than laugh at the plight, try taking an understanding and resourceful approach. "Well Mr. So-and-so, it seems you've gotten this nasty little virus that actually is a fairly new kind of threat, which is why your AV didn't catch it. I actually read about this nasty bugger on a forum I visit, and have a solid way of removing it for you. Just to let you know, I have a Macintosh at home, and that is not even at risk since this was written for Windows. If you'd like, I'd be happy to schedule some time to go over the benefits of migration with you and your people (or family or employees, or friends)."

I bet that gets you further than the approach you mentioned in your post.

cash cow (5, Insightful)

zogger (617870) | more than 7 years ago | (#16527667)

Now you see why windows remains the dominant desktop. It is because by its very nature it is a tremendous cash cow, going up and down and sideways across the IT food chain. Very, very few people are altruistic enough to work as hard as they can to put themselves out of business, especially once the work involved becomes more or less easy and routine.

Human nature, you can see it at work in a number of areas, take governments for example. It would be quite possible for governments to work towards fine tuning laws and processes to the point that they are clearly understood, as universally fair as possible, and requiring the least bit of constant interferring-they would have to fire themselves, voluntarily withdraw. It doesn't and won't happen though. Bad car analogy. Could automakers make the million mile car that was super reliable, got good mileage, had decent power, and because of that, actually be cost effective for the consumer in the long run? I bet they could, but there wouldn't be much incentive for them to remain in the car making business, as sales would dreop off severely eventually. The fixit shops would hate it. The oil companies would hate it. Stockholders would hate it.

And so on. You are trying to balance consumer desires with business desires for repeat sales and increasing sales and peripheral sales, in an economic system that values and rewards that over even just a maintainance of the status quo mode. So it obviously doesn't happen... not much anyway.

Re:cash cow (2, Interesting)

westlake (615356) | more than 7 years ago | (#16528371)

Could automakers make the million mile car that was super reliable, got good mileage, had decent power, and because of that, actually be cost effective for the consumer..? I bet they could, but there wouldn't be much incentive for them to remain in the car making business, as sales would dreop off severely eventually. The fixit shops would hate it. The oil companies would hate it. Stockholders would hate it.

Henry Ford thought he had the perfect car in the Model T and so it was in 1915.

But times change. The definition of perfection changes.

The electric starter means you don't have to be a young adult male in his physical prime to drive an automobile. Without risking a broken arm or cardiac arrest every time you crank her up.

Hard surfaced roads and reliable low presure tires means you can build for speed and comfort. Mass production means you can build an all-metal, all-weather, closed car, the four door sedan, and price it within reach of anyone with a middle class income.

Re:Buy a Apple MacIntosh (5, Insightful)

Ginger Unicorn (952287) | more than 7 years ago | (#16527677)

well i run linux, and i dont find this funny at all. windows botnets are a fucking nuisance to EVERYONE. Running mac os x or linux wont stop you receiving spam emails, or stop a website you need to use being DDOSed.

Apple knows when to give up (0, Troll)

jasonhamilton (673330) | more than 7 years ago | (#16527757)

Yes, at least apple knows when to give up and use BSD.

I remember a friend who used to own a $12,000 apple computer (for advertising) and it was the biggest pile of crap ever.

This is also *good* because (1, Funny)

CatoNine (638960) | more than 7 years ago | (#16527529)

If this hacked Kapersky removes all other malware from the infected system. The user only needs to run *one* other removal tool to end up with a clean system again. (OK, OK, for a while then...)

Says a lot about Kaspersky... (5, Interesting)

Arkan (24212) | more than 7 years ago | (#16527547)

... if virus authors are confident enough to use it as a mean to eradicate competition! This guy put enough faith in this AV to use it as defense on a compromised system. It kind of implicitly confess that, would the machine have been protected by Kaspersky, it couln't have been compromised.

Obligatory conspiracy theory: could it be a publicity stunt from Kaspersky themselves? Naaah, I'm certainly too paranoïd.

--
Arkan, who don't care anyway, as long as you can't patch DLL in-memory... on GNU/Linux

Re:Says a lot about Kaspersky... (2, Interesting)

DarthChris (960471) | more than 7 years ago | (#16527595)

Obligatory conspiracy theory: could it be a publicity stunt from Kaspersky themselves? Naaah, I'm certainly too paranoïd.
Obligatory shooting down your conspiracy - if they did, they'd get sued the shit out of them. The only thing that saved Sony (during the rootkit fiasco) was their size as a corporation, and I presume Kaspersky don't have that.

I'm more interested in seeing what Kaspersky's official response to this is.

Mobsters do the same (5, Insightful)

Britz (170620) | more than 7 years ago | (#16527605)

When the mob kills people it is usually a rival gang. They want to be the only people milking their territory for good reasons.

Re:Mobsters do the same (1)

Antiocheian (859870) | more than 7 years ago | (#16528511)

Yes, but the problem with mobsters is that they have conflicting interests. Virii rarely do. I really don't think installing Kaspersky would be a very wise move from a mobster's point of view; Kaspersky could easily alter their update system in order to remove the installer virus too.

But in theory I agree.

Art imitates life (5, Interesting)

digitalhermit (113459) | more than 7 years ago | (#16527653)

In biology, we hear that it's generally not good to regularly use some types of anti-bacterial cleansers. After awhile they start wiping out the good or innocuos types, leading to proliferation of the undesirable types. My lawn guy says the same thing about some types of weeds; apparently they keep other, larger and hardier weeds from getting a stronghold. It's funny that in the future this may be how viruses are combated in electronic devices.

Done before? (2, Interesting)

therufus (677843) | more than 7 years ago | (#16527697)

Wasn't there a variant on the blaster worm that uninstalled the original blaster worm and replaced it with a new variant?

I'm sure this has been done before.

Ah, yes. The Welchia [symantec.com] worm!

Boring. Next please...

Re:Done before? (2, Funny)

An ominous Cow art (320322) | more than 7 years ago | (#16528057)

Boring, eh? They're both vigilante attempts to fix the problem, but this one actually downloads and installs a pirated commercial AV software package. Significantly different from Welchia, and the first of its kind, as far as I know.

People have joked for years about releasing a worm that patches Windows systems by installing $LINUX_DISTRIBUTION, this thing just brings us one step closer :-).

Oh well then (2, Insightful)

0racle (667029) | more than 7 years ago | (#16527703)

Trojan requests and loads a DLL from the author's command-and-control server. This then downloads a pirated copy of Kaspersky AntiVirus for WinGate into a concealed directory on the infected system.
Oh well that's perfectly trustworthy isn't it. I guess we can just leave this one alone, it won't do anything it shouldn't. Is everyone who is saying this is a good thing really that stupid?

funny wargames (3, Insightful)

Tom (822) | more than 7 years ago | (#16527793)

Funny how there's a war fought over who has control of a windos PC - by multiple parties, none of which is the owner of said PC.

reminds me of some of my old ideas (3, Interesting)

Nyph2 (916653) | more than 7 years ago | (#16527921)

Heh, in 2001 I had this exact idea as part of my concept for a theoretical modular virus. Most of the things I envisioned in that concept have since been picked up by malware producers (for example, modular virii, multi-system virii, rootkits in a virus either as the main payload or to reinstall the payload(or a diff payload) after the system has been cleaned to mention a few which have gone into use on some scale since I came up with my idea), but there were a few tricks my concept had that I've yet to hear about in the wild, so I wont go into any of those details for fear of giving anyone ideas. (I have never developed, nor do I ever intend to develop this concept into an actual program. I'm morally opposed to virii... I was just thinking of the things I would be afraid to see in virii, and how one would go about dealing with something using concepts like what I envisioned.)

It also reminds me of a sorta funny virus killer that was my precursor idea to the modular concept in 2000: a virus which uses the same 'sploit as a previous virus. The goal: download a removal package, the patch to the 'sploit you used to get in, and a package to temporarily host all of the packages. Once it does this, it simply removes the old virus, patches the system, and hosts the files for a breif period of time(prolly around a day, definately no longer than a week... could also judge how long to host it off frequency of requests for the info) to allow the virus to P2P the files rather than place the load on a central server. Could also disable the network adapter for a period of time in there if needed to make sure it doesnt get reinfected during the removal/patching phases.

I decided against ever building such a virus-chaser because it's near as bad as the original virus. It's illegal, it could cause network congestion, and while it intends to do good, it's pretty immoral to install stuff on a system & patch it without the users consent.

Still, a funny concept, similar in some ways to the malware this article discusses.

PS, I know the plural of virus is viruses. Virii is just fun to say tho.

Check out Microsoft's wrongdoing! (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16527947)

That OS, it's so prone to viruses!
http://malfy.org/ [malfy.org]

Alternative Payload (1)

Geminii (954348) | more than 7 years ago | (#16527967)

Sure, spread by any vector possible, infect anything infectable, clean out any malware on the PC, and do two more things. 1) Sit there trying to infect everything else for a week, and - 2) Then blow away the PC's internet connection so thoroughly that it will have to be taken to a repair shop to fix - don't make it something even a half-competent ISP tech will be able to fix over the phone. Additionally, rig the boot screen to display the names of the vulnerabilities the PC exhibited and the malware which was previously on it, and have continual popups and desktop/homepage changes to "This PC is infected; please take it to a repair shop." This will have a number of results. Firstly, there may be malware on the PC which the payload or cracked detection engine will not pick up. Disconnecting the PC from the internet will prevent that malware from causing further problems in the meantime. Secondly, the PC will need to be taken to a repair shop or at least attended to by a competent techie, who will be able to read the list of vulnerabilities and malware and potentially make sure the PC is patched before being released back onto the net. The repairers are likely to install these patches if only so they don't see the PC's owner again next week when the PC dies from malware again. Of course, given that whoever wrote the above would not necessarily be a white knight, they might choose to do something other than simply disabling the net connection - like randomly frobbing the Windows registration key to trigger false WGA problems, or redirecting all web page requests to the Microsoft international contact phone number web page.

Folding At Home (0)

Anonymous Coward | more than 7 years ago | (#16528263)

I cannot wait until F@H viruses come out.

In Soviet Russia... (1)

y00tz (952744) | more than 7 years ago | (#16528401)

At first I thought the title was just one of those terrible 'in Soviet Russia...' jokes.

Great, get busted for having pirated software (2, Interesting)

Yahma (1004476) | more than 7 years ago | (#16528593)

Why not protect your computer in the first place and not have to worry about spyware and viruses. If you are on a Windows machine and you are browsing warez or other "not so legit" sites, you better protect yourself. You would be advised to use an Anonymous Proxy [blastproxy.com] to browse such sites, as you really don't want your IP address floating around in their logs when they get busted, do you?

Furthermore, a proxy such as the above would protect you from malicious scripts.

This is not new, it's been done back in 1997 (0)

Anonymous Coward | more than 7 years ago | (#16528623)

Back in the days of Netbus and Back Oriface, it was fairly common to find one, if not both on someones computer. I have first hand knowledge of knowing how it spread... it spread through pirated antivirus software (mcafee mainly.) It patched the installer. And since netbus had an override port and password, it was easy to hijack netbus found on other machines and install the antivirus software with Back oriface on it, or hacked netbus, or whatever.

In a similiar thought, I've also seen entire computer labs at colleges have "factory installed" antivirus, with no updates, and loaded with software to distribute warez, or seti@home, or what have you.

I'm pretty certain that people with those infected machines have since replaced them.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...