Notorious rootkit, TDSS (also goes by the names Alureon and TDL4) gets self-propagation powersPosted: June 7, 2011 10:38 am
By: InfoSec News - Information Security
Notorious rootkit, TDSS (also goes by the names Alureon and TDL4) gets self-propagation powers
Alert Print Post commentRetweetFacebookTDSS boasts new DHCP server
By Dan Goodin | 3rd June 2011 23:40 GMT
One of the most notorious rootkits has just acquired a self-propagating mechanism that could allow it to spread to new victims, a security researcher has warned.
A new version of the TDSS rootkit, which also goes by the names Alureon and TDL4, is able to infect new machines using two separate methods, Kaspersky Lab researcher Sergey Golovanov wrote in a blog post published on Friday.
The first is by infecting removable media drives with a file that gets executed each time a computer connects to the device. The technique has been around for years and has been used by plenty of other computer worms, including the one known as Conficker. Other than using files with titles such as myporno.avi.lnk and pornmovs.lnk, there’s nothing particularly unusual about the way TDSS goes about doing this.
The second method is to spread over local area networks by creating a rogue DHCP server and waiting for attached machines to request an IP address. When the malware finds a request, it responds with a valid address on the LAN and an address to a malicious DNS server under the control of the rootkit authors. The DNS server then redirects the targeted machine to malicious webpages.
Research: Robert Cazares