Spam-DComServ: No honor among thieves!!
Tuesday October 24, 2006 at 5:26 am CST
Posted by Vinoo Thomas
Malware authors targeting other rival malware is always an irony of sorts. The school of thought is while a thief may lie, cheat and steal from everyone else in God’s creation, they would respect other thieves because they see each other as kin. Remember professional courtesy!! Sharks do not eat lawyers 
.Malicious hackers battling for control over an infected system prefer to keep all the system resources for themselves and there have been several instances in past where malware authors had turned upon each others creations. The two most famous ones were:
1. W32/Nachi, supposedly christened the good worm, targeted machines vulnerable to the blaster worm aka W32/Lovesan. Once installed on a vulnerable machine this worm would terminate and delete instances of the blaster worm. To prevent further compromise of the host machine it would also download and install a patch for the MS03-026 vulnerability from the Microsoft website.
2. Netsky vs. Bagle wars: Both the virus writers regularly flamed each other and targeted the others creations with every newer variant. Bagle targeted Netsky infected machines by spawning a mutex with the same name as the netsky worm as this terminated all previously running instances. While Netsky variants preferred deleting registry entries and killing processes to prevent automatic execution of Bagle and Mydoom variants.
In a recent most incident we got to see Spam-DComServ alias the SpamThru trojan that installs a pirated copy of an antivirus program to get rid of rival malware from the machine.
Quoting an excerpt from the analysis of this trojan by Joe Stewart at SecureWorks:
“SpamThru takes the game to a new level, actually using an antivirus engine against potential rivals. At startup, SpamThru requests and loads a DLL from the control server. This DLL in turn downloads a pirated copy of Kaspersky AntiVirus for WinGate from the control server into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL in order to avoid having Kaspersky refuse to run due to an invalid or expired license. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation. Any other malware found on the system is then set up to be deleted by Windows at the next reboot.”
Seems “professional courtesy” is not something virus writers believe in. Spam-DComServ is yet another malware that does not like sharing its host machine with any other malware. It will be interesting to see if another malware, if any would, counter attack this act of Spam-DComServ.
Rest assured, we will most likely get to see more scenarios like the above where malware authors try to top each other and defeat one anothers malware. There truly is no honor among the thieves!!
December 28th, 2006 at 4:15 pm
[…] Although we have seen malware-controlled spam networks in the past, most notably the W32/Bagle and W32/Sober families, the complexity and sophistication seen in the W32/Stration and Spam-DComServ trojans of today, demonstrate the alarming advancements made by these digital miscreants. McAfee Avert Labs continues to keep a close watch on these recent developments in the spam world. […]