Miscreants have created a strain of malware capable of removing rootkits from compromised PCs, only to install almost undetectable backdoor code of its own.

The Pandex Trojan stops previously installed rootkits from working by removing their hooks into system calls. Pandex then installs its own rootkit component, detected by Trend Micro as Pushu-AC.

Virus writers have competed for control of vulnerable PCs several times in the past. For example, in 2005 separate groups of hackers released a barrage of worms in a battle to seize control of Windows PCs vulnerable to the then infamous Windows Plug-and-Play (PnP) vulnerability.

The Bozori worm was programmed to remove infections by earlier versions of the Zotob worm and other malware, so it could take control of a compromised computer for itself. A family of IRC bots that exploit the same Microsoft Plug and Play vulnerability likewise tried to remove competing PnP bots.

In early 2004, variants of the Netsky worm designed to remove Bagle and MyDoom infections from compromised PCs were released into the wild amid an ongoing war of words between rival VXers.

More recently, a turf war erupted between the creators of the Storm worm and rival gangs.

The Pandex Trojan updates this dishonourable tradition with code that replaces stealthier malware infections.

More background on the latest twist in the ongoing "virus writers at war" series can be found in an analysis by Trend Micro here. ®

Related stories

• Storm worm smackdown as researchers unpick control system (13 January 2009)
• Selfish worm targets month-old Windows flaw (26 November 2008)
• Storm botnet blows itself out (14 October 2008)
• Stealthy malware expands rootkit repertoire (30 September 2008)
• Open source release takes Linux rootkits mainstream (4 September 2008)
• Interview Trend Micro's CEO says 'AV industry sucks' (22 June 2008)
• Zango dismisses Storm Worm conspiracy theory (19 May 2008)
• Updated Rootkits on routers threat to be demoed (15 May 2008)
• Storm worm botnet turns into April shower (1 May 2008)
• Adware package tops malware charts for first time (6 March 2008)
• MayDay! MayDay! Ruskies reinvent cyber crime (13 February 2008)
• Fast flux foils botnet takedown (11 July 2007)
• Rival malware gangs wage turf war (1 July 2007)
• Worm War II (18 August 2005)
• Worm mocks convicted Sasser author (1 August 2005)
• War of the worms turns into war of words (3 March 2004)