Alureon Rootkit’s Latest Version uses Steganography Mechanism

Alureon the notorious rootkit with its sinister contamination tendency and stubborn attachment to a system post installation is causing real trouble for its victimized end-users. Not only that, it's a challenge too, security investigators have taken in detecting fresh versions as well as unraveling its fresh tricks and methods. In its latest hazard against computer systems, Alureon is utilizing steganography a mechanism for concealing configuration files so contaminated systems can be made up-to-date with fresh commands. Threatpost.com published this on September 26, 2011.

Reportedly, Alureon uses steganography for one particular version, which a PC-Trojan commonly downloads and subsequently plants onto the victim's system. There's one fresh task the malware performs i.e. downloading "com32" a module from a distantly running Internet site. This module, when decrypted, produces several URLs that the free-blogging websites WordPress and LiveJournal host.

Researchers at Microsoft studied the code carefully that's most essential to restoring the web-pages and found that there was a basic parsing of the HTML element with respect to particular IMG labels.

Thereafter, Alureon made an effort for restoring the JPGs after which it transmitted the crude or unarranged data as also an ASCII string having 61 characters to 'com32.' The overtly lengthy string markedly looked like a password.

Microsoft researcher Scott Molenkamp commented following further investigation that he managed to find an entire configuration file that was implanted on all the JPGs individually, while it utilized steganography. The file in a crucial part consisted of the command-and-control (C&C) servers list. There was also the revelation of the publicly-supported files' and folders' objective which was for providing idleness and protection from existing domains, which could get unobtainable. Meanwhile, during an instance of failed contact with any of the C&C servers, Alureon would attempt at restoring the latest configuration file present within the 'backup' locations, Molenkamp explained. Blogs.technet.com published this on September 25, 2011.

Conclusively according to security researchers, the above malware is detectable by almost all anti-virus programs therefore it's advisable that end-users have their virus definitions up-to-date along with an appropriately-configured firewall. Besides, they must be wary about suspicious e-mails, which could often be part to disseminating the infections.

Related article: Alarm Raise Over Vulnerability in Trend Micro’s anti-virus Tool

» SPAMfighter News - 10/5/2011