NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0416 Malware Removes Rival Rootkits:
Computer virus writers have created a strain of malware capable of removing rootkits from
compromised PCs, only to install an almost undetectable backdoor code of their own. The
Pandex Trojan stops previously installed rootkits from working by removing their hooks into
the system. Pandex installs its own rootkit component, detected by Trend Micro as Pushu-AC.
By operating below the level of traditional malware scanning tools, rootkits are able to
carry out covert functions, for example keystroke-logging, without detection. Virus writers
have competed for control of vulnerable PCs several times in the past.
In 2005, various hackers released a barrage of worms in a battle to seize control of Windows
PCs vulnerable to the then infamous Windows Plug-and-Play (PnP) vulnerability.
The Bozori worm was programmed to remove infections by earlier versions of the Zotob worm
and other malware enabling it to take control of a compromised computer for itself.
A family of IRC bots that exploit the same Microsoft Plug and Play vulnerability likewise
tried to remove competing PnP bots.
In 2004, variants of the Netsky worm - designed to remove Bagle and MyDoom infections from
compromised PCs - were released amid an ongoing war of words between rival VXers.
A turf war recently erupted between the creators of the Storm Worm and rival gangs.
(channelregister.co.uk 28FEB08)