TDSS Rootkit Acquires Mechanism to Propagate Automatically
According to security investigator Sergey Golovanov at Kaspersky Lab, an extremely infamous rootkit, the TDSS is now equipped with a self-propagating technique with which the malware can reach fresh victims. Theregister.co.uk reported this on June 3, 2011.
Highlights Golovanov that the TDSS rootkit that's as well called TDL4 and Alureon manages to contaminate more-and-more computers by utilizing 2 different techniques.
One of them involves contaminating detachable drives with malware, which runs whenever the PC links up with the related device. Notably, it's been years that perpetrators have used this method, while other PC viruses like Conficker too have used it. Evidently, the TDSS does many things, but the only unusual thing it does is utilizing malware programs titled as pornmovs.lnk and myporno.avi.lnk.
The other contamination technique isn't new either; however, it's rather infrequent. States Golovanov, the malware figures out many things regarding the topology of the PC network, whether an area Dynamic Host Configuration Protocol (DHCP) server is present as well as whether more PCs within the network are active.
In case one is found, a man-in-the-middle assault is executed, with the malware reading the DHCP requests as well as replying with fake configurations. Actually the malware aims at deceiving the target PC so it may use a Domain Name System (DNS) server that the attackers control.
Having achieved this, soon as the end-user attempts at going to any web-page, a false warning is displayed, which prompts him to load a software update and then proceed. But, in reality this update serves as the rootkit's installer.
That means, concludes Golovanov, the TDSS installer, Net-Worm.Win32.Rorpian, which's today an extremely sophisticated malware, takes advantage of the most vulnerable entity on PCs - the end-user. Softpedia.com reported this on June 3, 2011.
Meanwhile, during late 2010, TDSS managed to contaminate Microsoft Windows (64-bit versions) having eluded the OS' signing policy for kernel mode. Stated Prevx another security company, the rootkit could work like a backdoor for loading keyloggers and making them up-to-date or doing the same things with other malicious programs that contaminated systems and that when loaded, most anti-malware software mightn't be able to detect it.
Related article: TDSS Rootkit Technologies Back
» SPAMfighter News - 14-06-2011