Advanced Version of Alureon Rootkit Circulating
Security investigators from GFI Labs caution that Alureon aka Task Description Language (TDL) the advanced malicious program, which's now circulating online in a revised version, makes it capable of compromising even 64-bit editions of Windows 7 and Vista.
Importantly, there's no other rootkit as sophisticated as the TDL. Functioning like a backdoor, the TDL enables the installation of keyloggers along with other malicious programs as also make them up-to-date on contaminated computers. When installed, the rootkit cleverly escapes detection by the majority of anti-malware software.
Meanwhile, GFI researchers elaborate that Alureon version 64-bit stops driver signing from being checked, even when the system starts up; changes the route of Application Programming Interface (API) calls so that it can evade the patch safeguard of the kernel called "PatchGuard."
Further, TDL attaches its copy onto the 'master boot record' (MBR) of the infected system's hard drive, and then modifies Windows, which's possible by gaining administrator rights. Evidently, as Alureon proliferates through websites like cracking and porn sites, it hardly finds it difficult to get the affected end-user to give away its rights through UAC, the researchers observe.
Fascinatingly, as the researchers emphasize, while copying itself onto the MBR, the rootkit doesn't use Windows API that might be under the supervision of protective utilities, rather it utilizes a command namely IOCTL_SCSI_PASS_THROUGH_DIRECT for gaining admission into the drive straight away. Moreover, following rebooting, Alureon uses the check option and deactivates the testing of driver signature.
It also changes the existing options for startup; however, diverts Windows' boot path to a different route following which it installs the original root-driver inside memory when the system starts up. Thereafter it makes more changes like it attaches hooks to SDT (Service Descriptor Table).
In the meantime, according to the experts, Alureon versions, which attack Microsoft machines, began emerging during 2006 when they attacked Windows 32-bit version. Elaborating the malware, Microsoft says that trojans of these kinds let hackers tap inbound and outbound Internet traffic so they can collect usernames, passwords, payment card details etc., alternatively, let attackers transfer malevolent content onto others' computers. InformationWeek.com published this on November 22, 2010.
Related article: Advanced File-Contaminator Enables Malicious Campaign of Click-Fraud
» SPAMfighter News - 01-12-2010