Bit9

Like malware researcher Joe Stewart, I also thought I had seen it all, until I saw this article on the SpamThru trojan. It describes a trojan that bundles and installs its own AV scanner. Why would a trojan want to do that? The reason is that by blocking other malware, SpamThru is trying keep all the computer resources to itself. This is malware using anti-malware to dominate both the OS and the malware competitors. Since trojan installations are highly profitable, and in some cases technically legal, more resources can mean many more thousands of dollars that are "legally" earned. I don't know whether SpamThru is polymorphic or not. In other words, I don't know if it evades signature-based defenses by encrypting itself. But in any event, an effective graylist application control system can stop trojans from installing in the first place.