One of the most notorious rootkits has just acquired a self-propagating mechanism that could allow it to spread to new victims, a security researcher has warned.
A new version of the TDSS rootkit, which also goes by the names Alureon and TDL4, is able to infect new machines using two separate methods, Kaspersky Lab researcher Sergey Golovanov wrote in a blog post published on Friday.
The first is by infecting removable media drives with a file that gets executed each time a computer connects to the device. The technique has been around for years and has been used by plenty of other computer worms, including the one known as Conficker. Other than using files with titles such as myporno.avi.lnk and pornmovs.lnk, there's nothing particularly unusual about the way TDSS goes about doing this.
The second method is to spread over local area networks by creating a rogue DHCP server and waiting for attached machines to request an IP address. When the malware finds a request, it responds with a valid address on the LAN and an address to a malicious DNS server under the control of the rootkit authors. The DNS server then redirects the targeted machine to malicious webpages.
“After these manipulations, whenever the user tries to visit any web page, s/he will be redirected to the malicious server and prompted to update his/her web browser,” Golovanov wrote. “The user will not be able to visit websites until sh/he agrees to install an 'update.'”
Late last year, TDSS acquired the ability to infect 64-bit versions of Microsoft Windows by bypassing the OS's kernel mode code signing policy. Researchers at security firm Prevx have said it's the most advanced rootkit ever seen in the wild. It is used as a backdoor to install and update keyloggers and other types of malware on infected machines, and once installed it's undetectable by most antimalware programs. ®
Similar topics
Broader topics
Narrower topics
- Authentication
- Azure
- Bing
- Black Hat
- BSoD
- Common Vulnerability Scoring System
- Cybercrime
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- DDoS
- Digital certificate
- Encryption
- Excel
- Exploit
- Firewall
- Hacker
- Hacking
- Identity Theft
- Infosec
- Internet Explorer
- Kenna Security
- Microsoft 365
- Microsoft Build
- Microsoft Edge
- Microsoft Office
- Microsoft Surface
- Microsoft Teams
- NCSC
- .NET
- Office 365
- Outlook
- Palo Alto Networks
- Password
- Patch Tuesday
- Phishing
- Pluton
- Ransomware
- REvil
- SharePoint
- Skype
- Spamming
- Spyware
- SQL Server
- Surveillance
- TLS
- Trojan
- Trusted Platform Module
- Visual Studio
- Visual Studio Code
- Wannacry
- Windows 10
- Windows 11
- Windows 7
- Windows 8
- Windows Server
- Windows Server 2003
- Windows Server 2008
- Windows Server 2012
- Windows Server 2013
- Windows Server 2016
- Windows XP
- Xbox
- Xbox 360
- Y2K
- Zero Day Initiative
- Zero trust