One of the most notorious rootkits just acquired a self-propagating mechanism that could allow it to spread to new victims, a security researcher has warned.
A new version of the TDSS rootkit, which also goes by the names Alureon and TDL4, is able to infect new machines using two separate methods, said Kaspersky Lab researcher Sergey Golovanov in a blog post.
The first method infects removable media drives with a file that executes each time a computer connects to the device. The technique has been around for years and other computer worms, including Conficker, have used it. Other than using files with titles such as myporno.avi.lnk and pornmovs.lnk, there’s nothing particularly unusual about the way TDSS goes about doing this.
The second method is to spread over local area networks by creating a rogue DHCP server and waiting for attached machines to request an IP address. When the malware finds a request, it responds with a valid address on the LAN and an address to a malicious DNS server under the control of the rootkit authors. The DNS server then redirects the targeted machine to malicious webpages.
“After these manipulations, whenever the user tries to visit any web page, s/he will be redirected to the malicious server and prompted to update his/her web browser,” Golovanov said. “The user will not be able to visit websites until she/he agrees to install an ‘update.’”
Late last year, TDSS acquired the ability to infect 64-bit versions of Microsoft Windows by bypassing the OS’s kernel mode code signing policy. Researchers at security firm Prevx have said it’s the most advanced rootkit ever seen in the wild. It acts as a backdoor to install and update keyloggers and other types of malware on infected machines, and once installed it’s undetectable by most antimalware programs.