OSes

Notorious rootkit gets self-propagation powers

TDSS boasts new DHCP server

Dan Goodin Fri 3 Jun 2011 // 23:40 UTC

One of the most notorious rootkits has just acquired a self-propagating mechanism that could allow it to spread to new victims, a security researcher has warned.

A new version of the TDSS rootkit, which also goes by the names Alureon and TDL4, is able to infect new machines using two separate methods, Kaspersky Lab researcher Sergey Golovanov wrote in a blog post published on Friday.

The first is by infecting removable media drives with a file that gets executed each time a computer connects to the device. The technique has been around for years and has been used by plenty of other computer worms, including the one known as Conficker. Other than using files with titles such as myporno.avi.lnk and pornmovs.lnk, there's nothing particularly unusual about the way TDSS goes about doing this.

The second method is to spread over local area networks by creating a rogue DHCP server and waiting for attached machines to request an IP address. When the malware finds a request, it responds with a valid address on the LAN and an address to a malicious DNS server under the control of the rootkit authors. The DNS server then redirects the targeted machine to malicious webpages.

“After these manipulations, whenever the user tries to visit any web page, s/he will be redirected to the malicious server and prompted to update his/her web browser,” Golovanov wrote. “The user will not be able to visit websites until sh/he agrees to install an 'update.'”

Late last year, TDSS acquired the ability to infect 64-bit versions of Microsoft Windows by bypassing the OS's kernel mode code signing policy. Researchers at security firm Prevx have said it's the most advanced rootkit ever seen in the wild. It is used as a backdoor to install and update keyloggers and other types of malware on infected machines, and once installed it's undetectable by most antimalware programs. ®

Similar topics

Broader topics

Narrower topics

Corrections Send us news

Other stories you might like

Microsoft fixes under-attack Windows zero-day Follina

Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

Jessica Lyons Hardcastle Wed 15 Jun 2022 // 03:02 UTC

Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.
Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.
Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

Continue reading
Azure issues not adequately fixed for months, complain bug hunters

Redmond kicks off Patch Tuesday with a months-old flaw fix

Jessica Lyons Hardcastle Tue 14 Jun 2022 // 13:30 UTC

Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.
In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January.
And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse.

Continue reading
Wi-Fi hotspots and Windows on Arm broken by Microsoft's latest patches

Only way to resolve is a rollback – but update included security fixes

Richard Speed Mon 20 Jun 2022 // 15:30 UTC

Updated Microsoft's latest set of Windows patches are causing problems for users.
Windows 10 and 11 are affected, with both experiencing similar issues (although the latter seems to be suffering a little more).
KB5014697, released on June 14 for Windows 11, addresses a number of issues, but the known issues list has also been growing. Some .NET Framework 3.5 apps might fail to open (if using Windows Communication Foundation or Windows Workflow component) and the Wi-Fi hotspot features appears broken.

Continue reading

Microsoft issues fix for Windows 11 Wi-Fi hotspots

Meanwhile, 'search highlights' will tell you 'what's special about each day'

Richard Speed Fri 24 Jun 2022 // 15:00 UTC

Microsoft has dropped a preview of its next batch of Windows fixes, slipping a resolution for broken Wi-Fi hotspots in among the goodies.
The release – KB5014668 for Windows 11 – addresses the Wi-Fi hotpot functionality broken in June's patch Tuesday alongside some less necessary features like "search highlights," which "present notable and interesting moments of what's special about each day."
KB5014697, which was released on June 14 for Windows 11, had a selection of issues. Some .NET Framework 3.5 apps might fail and connecting to a Windows device acting as a hotspot wouldn't always work. The only fix was to roll back the patch or disable the Wi-Fi hotspot feature.

Continue reading
Cisco warns of security holes in its security appliances

Bugs potentially useful for rogue insiders, admin account hijackers

Jessica Lyons Hardcastle Wed 22 Jun 2022 // 20:16 UTC

Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances.
The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.
This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come.

Continue reading
Microsoft continues cyber security spending spree with Miburo buy

Brains to be added to the Customer Security and Trust in defense against 'foreign adversaries'

Richard Speed Wed 15 Jun 2022 // 15:30 UTC

Microsoft has opened its wallet once more to pick up New York-based cyber-threat analyst Miburo.
Founded by Clint Watts in 2011, Miburo is all about the detection of and response to foreign (in the context of the US) information operations. The team is to be folded into Microsoft's Customer Security and Trust organization and the work of its analysts is to be fed into the Windows giants' threat detection and analysis capabilities.
"Miburo," said Microsoft, "has become a leading expert in identification of foreign information operations." Its research teams have hunted out some nasty influence campaigns over 16 languages.

Continue reading

Microsoft pulls Windows 10/11 installation websites in Russia

Big Tech sanctions continue to roll in, Putin retaliates with counter sanctions

Laura Dobberstein Tue 21 Jun 2022 // 13:30 UTC

Microsoft has blocked the installation of Windows 10 and 11 in Russia from the company's official website, Russian state media reported on Sunday.
Users within the country confirmed that attempts to download Windows 10 resulted in a 404 error message.

Continue reading
Microsoft forgot to renew the certificate for its Windows Insider subdomain

Visitors to insider.windows.com met with safety warning - how reassuring

Thomas Claburn in San Francisco Fri 10 Jun 2022 // 19:31 UTC

Microsoft has forgotten to renew the certificate for the web page of its Windows Insider software testing program.
Attempting to visit the Windows Insider portal was returning the familiar "Your connection is not private" warning – as if webpages larded with scripts and trackers can truly be called "private." The problem has now been fixed, and someone's no doubt getting an earful.
Browsers like Chrome, Firefox, and Safari will attempt to deter visitors from accessing the webpage, but will provide a link for those who ignore the warnings and persist on clicking through to advanced options.

Continue reading
Microsoft Defender goes cross-platform for the masses

Redmond's security brand extended to multiple devices without stomping on other solutions

Richard Speed Fri 17 Jun 2022 // 15:30 UTC

Microsoft is extending the Defender brand with a version aimed at families and individuals.
"Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."
The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.

Continue reading
Microsoft readies Windows Autopatch to free admins from dealing with its fixes

I got 99 problems but a patch ain't one? Well, that is the hope anyway

Richard Speed Fri 17 Jun 2022 // 14:30 UTC

If Windows Autopatch arrives in July as planned, some of you will be able to say goodbye to Patch Tuesday.
Windows Autopatch formed part of Microsoft's April announcements on updates to the company's Windows-in-the-cloud product. The tech was in public preview since May.
Aimed at enterprise users running Windows 10 and 11, Autopatch can, in theory, be used to replace the traditional Patch Tuesday to which administrators have become accustomed over the years. A small set of devices will get the patches first before Autopatch moves on to gradually larger sets, gated by checks to ensure that nothing breaks.

Continue reading

ABOUT US

MORE CONTENT

SITUATION PUBLISHING

The Register - Independent news and views for the tech community. Part of Situation Publishing

SIGN UP TO OUR DAILY NEWSLETTER

Security Scorecard

Biting the hand that feeds IT © 1998–2022

Do not sell my personal information Cookies Privacy Ts&Cs