Saturday, October 21, 2006

The Trojan Chronicles...

Slashdot brought to my attention this morning news Trojan Installs Anti-Virus, Removes Other Malware.

From the original article at eweek:

At start-up, the Trojan requests and loads a DLL from the author's command-and-control server.

This then downloads a pirated copy of Kaspersky AntiVirus for WinGate into a concealed directory on the infected system.

It patches the license signature check in-memory in the Kaspersky DLL to avoid having Kaspersky refuse to run due to an invalid or expired license, Stewart said.

Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation.

"Any other malware found on the system is then set up to be deleted by Windows at the next reboot," [veteran malware researcher Joe Stewart] added.

While vigilante malware is not a new concept anymore, this one was pretty original for use of a hacked anti-virus product.

And the purpose of this attention? Making the world and your pc a safer and cleaner place?

Nope. See it works out of concealed directory so you wouldn't know it is there.

It seems that it's motive is to remove any competing products that might bog down the system's resources and/or bandwidth. Then it is able to unleash it's payload: setup and delivery of a spam server. Clever!

Back in the heady-days when one malware application would attempt to uninstall another, malware writers were getting more clever, requiring users to key in some random key-string during an uninstall wizard run. This was done to ensure human-intervention was the cause of the removal, not another malware's automated attempt at a sniper hit. I was surprised the first time I encountered such a thing.

I recall all this because last week I spent close to four hours in a remote-connection session attempting to remove a rather sticky malware infection from a customer's workstation.

I have a general protocol I use to "sanitize" a pc, but it works better in person than in a remote connection. After two hours my policy is to just recover critical data, then wipe and reload the workstation's image fresh. Unfortunately, travel time would have meant the user would have waited many more additional hours for us to get a team-member out there. And we don't image workstations "over the wire".

So I battled on and battle on until I got it clean and running great, all except for one final malware program. It just wouldn't let me pull it off using any of the tools and trick I keep in my bag. No matter what I did, what processes I killed, what files I locked down "no access" it just kept coming to life.


Finally, in a final "Doh!" moment after an hour or more spent on trying to remove just this final program, I went and checked for it in the "Add/Remove Programs" list.

There it was. I ran the uninstaller, entered one of those "type the following key into the field" to validate the uninstall.

It was gone. All because I had skipped a first-step of "cleanly" uninstalling any "forigen" software application installation found on our systems first.

I guess sometimes you just have to say "Please" before you whip out the brass knuckles.


No comments: