TDSS Rootkit Boasts Self-Propagating Mechanisms

Tuesday, June 07, 2011



Although there have been numerous patches released over the last two years to eliminate risks posed by TDSS rootkits, newer versions of the old foe keep surfacing faster than they can be mitigated.

Despite efforts to increase security in the most recent versions of Microsoft operating systems, they remain vulnerable to innovative bypass exploits.

Late in 2010 a version of the TDSS rootkit exploit known as TDL4 or Alureon - and sometimes referred to as a "bootkit" - was developed which could manifest as an infection in the master boot record of an infected PC by using kernal-level code.

TDL4 finds opportunity where Microsoft allows the use of unsigned drivers by manipulating which programs the operating system recognizes as being permissible to do so.

Analysis of the malware indicates the code involved is highly sophisticated, evidence that cyber criminals are willing to devote considerable resources to development when there is the opportunity to readily profit from the endeavor.

The latest version of the TDL4 loader identified by Kaspersky labs, called Net-Worm.Win32.Rorpian, is now equipped with self-propagating capabilities and can disseminate through removable media in a similar as many other malware strains.

"When propagating via removable media, the worm creates the files setup.lnk, myporno.avi.lnk, pornmovs.lnk and autorun.inf. These files contain a link to the file rundll32.exe whose parameters reference the worm’s DLL. This is a standard technique used in many malicious programs," writes Kasperky's Sergey Golovanov.

More uniquely, the new loader variant can also infect machines with the TDL4 through local area networks (LAN) by by creating a rfaux DHCP server and waiting for connected machines to request an IP address. The request triggers a DNS server to redirect the targeted machine to a malicious site for infection.

"To infect a computer, the worm checks if a DHSP server is used in the network. If the victim computer is located on a network using the DHCP protocol, the worm starts scanning the network to see if there are any available IP addresses. After that, the worm launches its own DHCP server and starts listening to the network," Golovanov writes.

"When a DHCP request from a computer in the local network arrives, the worm attempts to respond to it before the “official” DHCP server does, and species the following:"

  • An IP address from the pool of available IP addresses
  • The main gateway specified on the infected computer
  • The address of the malicious DNS server belonging to the cybercriminals After these manipulations, whenever the user tries to visit any web page, they will be redirected to the malicious server and prompted to update their web browser.

"The user will only be able to visit sites after agreeing to install an “update”. If the user agrees, they unwittingly download a variant of Net-Worm.Win32.Rorpian. After infecting the user’s computer, it changes the DNS settings into a Google server address and lets the user browse," Golovanov said.

There is no doubt that the latest incarnation of the TDL4 equipped with these self-propagating features will ensure that the threat from TDSS rootkit will remain relevant for some time to come.


Possibly Related Articles:
Viruses & Malware
Microsoft malware Rootkits Operating Systems Removable Media Headlines TDL4 Kaspersky LAN Self Propagation
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.