Novel Version of Alureon Malware Identified
A novel variant of Alureon Trojan (also recognized as TDSS, TDL, and Tidserv) has been identified lately by Microsoft researchers, as reported by HELP NET SECURITY on May 17, 2011.
The Alureon Trojan has been in existence since 2007, and it's task comprise primarily in enabling the criminal to interrupt inward and outward Internet traffic so that he can gather private information and data, such as login details and credit/debit card details, but also to enable him to compromise the hacked machine with extra amount of malware.
Furthermore, Alureon is a famous and usually researched malware family that has few rootkit-like abilities in few of its variations. The latest version of the malware displays some behavior that researchers haven't observed earlier and which make it more troublesome for anti-malware software to find it and for experts to segment down its parts.
With the passage of time, the Alureon family of Trojans has been altered and directed to access rootkit abilities and utilized numerous tactics to stay concealed from the PC's user as well as AV solutions.
Microsoft took aside the latest version of Alureon and discovered that the malware presently utilizes what is basically a brute-force attack to decrypt its own encrypted parts.
Commenting on the matter, Dennis Fisher, Researcher at Microsoft, stated that, a specific set of files was consuming more than usual time to display malicious behavior than others. The researchers began finding out reason for all this, and concluded with a link from the past. He further stated that, at this point and situation the malware was utilizing Win32/Crypto-style decryption to avoid anti-virus solutions, as reported by Threat Post on May 16, 2011.
He further added that, the decryption feature or task maintains a documentation of all earlier attempted keys to evade using the similar key again and so running for an extraordinarily long time on a user's computer. He said that, this indicates that, the function will attempt a maximum 255 times prior to successfully finding the key. This magic value utilized during the final decryption step was earlier recovered from the header of the encrypted file.
The researchers further added that, however, that's not just the obfuscation and avoidance tactics this novel variant utilizes. Besides, it distributes the encrypted data all through the code, data, as well as resources, additionally obscuring the stagnant retrieval of the encrypted file.
Related article: Novel EU Regulations To Wipe Out Cross-Border Scams
» SPAMfighter News - 26-05-2011