New TDSS rootkit infects 4.5 million PCs in 3 months, targets rival malware

New TDSS rootkit infects 4.5 million PCs in 3 months, targets rival malware
TDL-4 rootkit is another major upgrade to notorious TDSS family.

The TDSS rootkit family (also known as Alureon or TDL) is something of an admired worst enemy of security researchers and vendors of anti-virus products. They hide deep in the Windows operating system, using and manipulating low-level instructions to avoid detection by anti-virus suites, and using encryption to protect their communications with command and control servers.



The latest TDL-4 version of the family is used (like the others) as a stealth backdoor installer of malware, and it has some huge advantages over its predecessors. It can infect 64-bit versions of Windows now by bypassing the Windows kernel mode code signing policy, and it creates ad-hoc DHCP servers on networks giving it new propagation powers.

Another major step forward for the malware is the ability to use the Kademlia P2P network for communications. This helps to keep the rootkit stay alive if legal action in the real-world takes down command and control servers.

TDL-4 is also protective of its control over an infected PC, and does not want to share power. It has its own built in anti-malware abilities, finding and killing ZeuS, Gbot and Optima malware infestations on systems it compromises. It even blacklists addresses of command and control servers used by rival malware.

According to research from Kaspersky Labs, the formidable rootkit compromised 4.5 million PCs in the first three months of the year. Almost a third of those computers were in the United States, the most profitable targets.

Written by: James Delahunty @ 30 Jun 2011 1:12
Tags
Kaspersky TDSS
Advertisement - News comments available below the ad
  • 35 comments

  • hikaricor

    Yall are dumb, yall are so dumb.

    30.6.2011 01:39 #1

  • ROMaster2

    Unless it uses only the most frequently used commands, not the ones just sitting there to be exploited, it'll still get to my computer and just sit there unable to do anything.

    30.6.2011 01:40 #2

  • KillerBug

    Don't you love windows? It blocks me from installing drivers, and lets non-user processes to do whatever they like.

    Then again, this does clean more viruses than any of the M$ security suites...maybe they want it.

    http://killerbug666.wordpress.com/

    30.6.2011 05:44 #3

  • 21Q

    That's pretty intense. I guess at that point you just have to reinstall.

    If you want a nice icon for your iPhone for afterdawn click on the link below. There is a two second delay before the redirect so act fast! http://www.freewebs.com/21qz/afterdawn.html

    Also Check Out My "Pc In An Xbox" Mod. There's a whole Pc inside of it! http://s84.photobucket.com/albums/k6/21q2/Xbox%20Pc/?start=0

    30.6.2011 11:32 #4

  • Dela

    Originally posted by KillerBug: Don't you love windows? It blocks me from installing drivers, and lets non-user processes to do whatever they like.

    Then again, this does clean more viruses than any of the M$ security suites...maybe they want it.     These rootkits are installed by users with administrative privileges who are duped into installing them. Take a look at MacDefender, it did exactly the same thing. The big difference is the investment dollars for black hat software production aren't geared toward non-Windows systems. Not because Windows is less secure, it has more non-tech-savvy users and it dominates the PC market. If the same millions upon millions of dollars targeted Linux or Mac, you'd see the same results.


    30.6.2011 11:51 #5

  • Jeffrey_P

    How do y'all get viruses?
    If you don't visit suspect porn sites, update def files once a day there should really be almost zero problems. You are your own worst enemy.

    KB, Win7 has never stopped me from installing drivers or have had an access problem.
    Again, most of the problems are the users fault. Not saying it's you. maybe you are running the Virus Vista on your computer?
    Jeff

    30.6.2011 12:02 #6

  • hearme0

    Loser virus writing a**holes! Wastes of life and nothing but a drain on society.........just like rampant piraters that NEVER give ANYTHING back.

    30.6.2011 12:07 #7

  • Dardandec

    Originally posted by Jeffrey_P: How do y'all get viruses?
    If you don't visit suspect porn sites, update def files once a day there should really be almost zero problems. You are your own worst enemy.

    KB, Win7 has never stopped me from installing drivers or have had an access problem.
    Again, most of the problems are the users fault. Not saying it's you. maybe you are running the Virus Vista on your computer?
    Jeff     Well said JP

    30.6.2011 14:05 #8

  • dali

    Jeffrey_P: If there is a security hole in the OS that can be used to gain administrative privileges via a random port, and you are connected directly to the network with a public IP address, or NATed behind an also vulnerable firewall with open ports, you can be infected with malware that comes out today exploiting that hole. Or, even better, you get an e-Mail which exploits an Outlook flaw, even if you don't open any attachment.

    So, let's say you notice it tomorrow, and you submit it immediately to your AV server, they create a vaccine in another 24 hours. Your internet neighbourhood, even if using your choice of AV, and updating defs once a day just like yourself, has been exposed for over three days, even if they didn't download any porn. It's not that simple. I tell you, and I'm a PARANOID administrator which caught a pretty bad nobodykit once on an up-to-date Debian server which had settled there by exploiting a flaw in Exim4. Not kidding. Cleaning it was really painful; it took me a whole afternoon, and, I insist, I'm a Linux admin with many years of experience.

    The thing is, of course, that they are all a bunch of motherf*ckers which could use their knowledge for something useful, but, I must say it again, shame on humans. :(

    “You know, it seems that quotes on the internet are becoming less and less reliable.” -Abraham Lincoln.

    30.6.2011 18:40 #9

  • Jeffrey_P

    Originally posted by dali: Jeffrey_P: If there is a security hole in the OS that can be used to gain administrative privileges via a random port, and you are connected directly to the network with a public IP address, or NATed behind an also vulnerable firewall with open ports, you can be infected with malware that comes out today exploiting that hole. Or, even better, you get an e-Mail which exploits an Outlook flaw, even if you don't open any attachment.

    So, let's say you notice it tomorrow, and you submit it immediately to your AV server, they create a vaccine in another 24 hours. Your internet neighbourhood, even if using your choice of AV, and updating defs once a day just like yourself, has been exposed for over three days, even if they didn't download any porn. It's not that simple. I tell you, and I'm a PARANOID administrator which caught a pretty bad nobodykit once on an up-to-date Debian server which had settled there by exploiting a flaw in Exim4. Not kidding. Cleaning it was really painful; it took me a whole afternoon, and, I insist, I'm a Linux admin with many years of experience.

    The thing is, of course, that they are all a bunch of motherf*ckers which could use their knowledge for something useful, but, I must say it again, shame on humans. :(     Thanks for info on privileges.
    I don't use Outlook in favor of Thunderbird.
    Truth is, I don't use M$ for anything except for the OS and OS updates which seems to show up every Thursday.

    That's what get we for an OS with the highest user base. Something Mac owners are now finding out because of Apples market share.

    I run Puppy Linux a lot of the time. Finally a linux OS that Joe Sixpack can use.
    Hell, I remember using Unix. Old as dirt by today's standard.

    Also I run auto racing games under Windows. I'm not sure that Wine will run them but it's not worth the time trying to do a setup.
    Jeff

    Cars, Guitars & Radiation.

    30.6.2011 19:06 #10

  • Pop_Smith

    Originally posted by hearme0: Loser virus writing a**holes! Wastes of life and nothing but a drain on society.........just like rampant piraters that NEVER give ANYTHING back. Usually for people who write viruses this complex are in it for the (large sum of) money. While the writers can and, occasionally, do get caught most of the time security researchers (etc.) just try to take down the C&C centers the bot uses.

    As for this new virus/rootkit, by using a P2P network for its communications the virus writers have made this virus that much harder to shut down.

    http://www.megavideo.com/?v=V1VZAD0O <-- Brian Regan "Take Luck" video.

    "The only people who should buy Monster cable are people who light cigars with Benjamins." - Gizmodo

    30.6.2011 19:52 #11

  • Jeffrey_P

    Do you mean DOS? Except for a very few games they will not run.
    Besides all the hoopla you have to go through with all the condoms Game distributors use... Just not worth it.
    The Amiga was a different story. The OS had a GUI + a CLI (Command line interface)
    Perfect hackers machine.

    I have to admit buddies would trade software when 9600 Baud modems ruled.
    I regret doing it and probably was one of the death knell for the Amiga. Unlike today where $$$$$ are made.
    Jeff

    Cars, Guitars & Radiation.

    30.6.2011 21:45 #12

  • ck5134

    Originally posted by Jeffrey_P: Do you mean DOS? Except for a very few games they will not run.
    Besides all the hoopla you have to go through with all the condoms Game distributors use... Just not worth it.
    The Amiga was a different story. The OS had a GUI + a CLI (Command line interface)
    Perfect hackers machine.

    I have to admit buddies would trade software when 9600 Baud modems ruled.
    I regret doing it and probably was one of the death knell for the Amiga. Unlike today where $$$$$ are made.
    Jeff
    The Amiga Isn't quite dead yet, still development ongoing. still have my a1200 in my studio :) cant beat a bit of 8 / 14 bit emulated vocals :)

    1.7.2011 10:07 #13

  • Jeffrey_P

    Almost forgot about the 1200. Had one of those also.
    The main reason I had to go PC is because developers jumped ship. Can you blame them? A bud from SLAC wrote communication software. It is a published document that can still be found on the SLAC/pub website. He dumped the Amiga and started work on BeOs apps;) He was the largest proponent for the Amiga you could ever meet.
    No software, no customers.
    I use a TASCAM 2488 for recording.
    Jeff

    Cars, Guitars & Radiation.

    1.7.2011 10:22 #14

  • ToadWiz

    Originally posted by Jeffrey_P: How do y'all get viruses?
    If you don't visit suspect porn sites, update def files once a day there should really be almost zero problems. You are your own worst enemy.
    Jeff     I think you ought to look at this article: http://www.eweek.com/c/a/Security/11-Internet-Security-Myths-That-Delude-Computer-Users-114208/?kc=EWKNLNAV06292011STR1

    Fact: Most malware comes from rogue "normal looking" websites or compromised legitimate sites.

    Your viewpoint is the common misconception, not that I recommend surfing porn sites.

    There's no justice; there's just us.

    1.7.2011 11:55 #15

  • ck5134

    I do most of mine computer based now with control surfaces, still have a roland vs880 tucked away as well as old tascam 4 tracks :))

    Ah for the simplicity of the old octamed, soundstudio on pc is ok but hasnt got the feel

    1.7.2011 12:05 #16

  • Jeffrey_P

    Originally posted by ToadWiz: Originally posted by Jeffrey_P: How do y'all get viruses?
    If you don't visit suspect porn sites, update def files once a day there should really be almost zero problems. You are your own worst enemy.
    Jeff     I think you ought to look at this article: http://www.eweek.com/c/a/Security/11-Internet-Security-Myths-That-Delude-Computer-Users-114208/?kc=EWKNLNAV06292011STR1

    Fact: Most malware comes from rogue "normal looking" websites or compromised legitimate sites.

    Your viewpoint is the common misconception, not that I recommend surfing porn sites.     Are you stalking me?
    Did you read my post or just pinpoint what raises your interest?
    You are preaching to the choir.
    Jeff

    Cars, Guitars & Radiation.

    1.7.2011 12:09 #17

  • ToadWiz

    Trust me, you aren't important enough to stalk. I am just aware of the MISCONCEPTION that adult web sites are the major distributor of infections, and it doesn't serve the community to confirm that myth.

    There's no justice; there's just us.

    1.7.2011 13:04 #18

  • Jeffrey_P

    What's with the nic? Do you have warts?
    Jeff

    1.7.2011 13:32 #19

  • ToadWiz

    Toad was my nic from school ... more than 40 years ago. Unfortunately, someone beat me to it, so I had to mod it a bit. No warts.

    There's no justice; there's just us.

    1.7.2011 13:38 #20

  • Jeffrey_P

    Ok man understood.
    Are you Hammer Head?
    Jeff

    1.7.2011 13:48 #21

  • FredBun

    I have seen many of my friends and neighbors get infections who never visit porn sites, and most porn sites who are huge money makers believe it or do a pretty good job at policing themselves, they are not stupid.

    Sure you will get adware and spyware and all kinds of bloaded crap from them, but viruses? not that often, actually rare.

    2.7.2011 02:25 #22

  • earache

    so, i have kaspersky installed, and consider myself knowledgeable but with this article i fail to see the point? it just puts the frighteners up you for no apparent reason, with no apparent remedy.i also cannot believe that this type of virus just downloads and installs itself without me knowing. enlighten me on this one as i have a well old dell with 500mb ram and 40gig hard drive and the original graphics card. in other words, you can't get slower than this, so i would notice an extra spider game being run let alone a malicious virus being fitted,

    heinekabimbam

    2.7.2011 08:03 #23

  • ToadWiz

    Originally posted by Jeffrey_P: Ok man understood.
    Are you Hammer Head?
    Jeff     Is this some kind of insult? I don't know what or who Hammer Head is.

    There's no justice; there's just us.

    2.7.2011 09:15 #24

  • Jeffrey_P

    No there is another thread where I insulted you. You do know how to use the search function do you not?
    Newbie eh?
    Shit disturber sums it up better.

    2.7.2011 09:24 #25

  • ToadWiz

    Originally posted by earache: so, i have kaspersky installed, and consider myself knowledgeable but with this article i fail to see the point? Earache, the link I posted above busts some of the myths that have been going around. Perhaps not so much myths as just the way it was 10 years or more ago. The malware scene, except for script kiddies and 56 year-old dweebs living in their mother's basement, is highly organized. Bot herders get paid up to $2 per machine in their herd, and those are used for sending spam, transferring pirated software, participating in network attacks (like DDOS), and stealing personal information for ID theft.

    No matter what else you personally care about, being aware that your identity is a commodity that is highly sought after is worth knowing. I've been a victim of ID theft twice, and I'm quite competent at computer security. I'm a Linux/Unix system administrator for a government contractor.

    The point of the original article is to be aware. Perhaps you don't have the skill to defeat every hacker out there - I don't. But I can be aware they they would like to hack my machines and steal my identity, my money from my bank accounts, proprietary information (assuming I was actually stupid enough to store it on my personal computer), and so on.

    Consider the situation like Tombstone, Arizona, circa 1881. You don't have to be a gunfighter to walk the streets, but it doesn't hurt to be aware of gunfighters and defend yourself as best you can.

    There's no justice; there's just us.

    2.7.2011 09:32 #26

  • ToadWiz

    Originally posted by Jeffrey_P: No there is another thread where I insulted you. You do know how to use the search function do you not?
    Newbie eh?
    Shit disturber sums it up better.     Yes, I agree with that. A lot of what you personally put out is SHIT, and I have no problem with correcting it for you.

    Yes, I know how to use the search function, but that assumes I find your posts interesting enough to be worth searching for whatever crap you are spewing.

    As far as whether I'm a newbie or not, I think the relative quality of our posts says everything that needs to be said.

    There's no justice; there's just us.

    2.7.2011 09:36 #27

  • Jeffrey_P

    "There's no justice; there's just us."
    You are quoting Richard Pryor. Give credit where credit is due.

    Did you take the, "How American are you" test?
    I answered all 20 questions correctly. A little crazy since most people do not take very much American history these days.
    Here:http://www.azcentral.com/news/articles/2011/06/27/20110627history-quiz-July-4-slideshow-prog.html
    See ya!
    Jeff

    2.7.2011 09:52 #28

  • ToadWiz

    Originally posted by Jeffrey_P: "There's no justice; there's just us."
    You are quoting Richard Pryor. Give credit where credit is due.

    Did you take the, "How American are you" test?
    I answered all 20 questions correctly. A little crazy since most people do not take very much American history these days.
    Here:http://www.azcentral.com/news/articles/2011/06/27/20110627history-quiz-July-4-slideshow-prog.html
    See ya!
    Jeff     Jeffie, you need to get a better search engine. The ORIGINAL quote is from 3000AD magazine and appeared about 40 years ago.

    Ordinarily I wouldn't, but just for the humor ... 20 out of 20. Rarely have I seen a simpler test. Must be dumbed down for modern society ... including people who think that math that doesn't agree with their political viewpoint is clearly in error.

    There's no justice; there's just us.

    2.7.2011 10:23 #29

  • Jeffrey_P

    I did not use a search engine. I do remember Pryor saying that quote. Guess you had to use a search engine for a frame of reference.

    The point of the test was to test your basic knowledge of American history.
    I doubt many people could pass it without reviewing things first.
    You seem to read into things that aren't there Toadwizy.
    Jeff

    2.7.2011 10:42 #30

  • ithjay (unverified)

    jeff and toad, you guys are funny. you should develop a blog where you two just argue back and forth intellectually XD

    2.7.2011 12:13 #31

  • Jeffrey_P

    You are right.. Actually I'm done with him. It is a little funny and amusing.
    You can't argue with a brick wall.
    Jeff

    2.7.2011 12:23 #32

  • ToadWiz

    Originally posted by ithjay: jeff and toad, you guys are funny. you should develop a blog where you two just argue back and forth intellectually XD Appreciate the thought, but only half of the argument would be intellectual.

    There's no justice; there's just us.

    2.7.2011 12:40 #33

  • ToadWiz

    Originally posted by Jeffrey_P: You are right.. Actually Im done with him. It is a little funny and amusing.
    You cant argue with a brick wall.
    Jeff
    Buddha once sat in front of a brick wall and came away enlightened ... but then I'm not Buddha, and Buddha might have committed suicide if he sat in front of you. Fortunately, it was amusing, or I wouldn't have had so much fun doing it.

    There's no justice; there's just us.

    2.7.2011 12:46 #34

  • robertmro

    THE SKY'S FALLING!
    THE SKY'S FALLING!

    WE'RE ALL DOOMED!

    It's probably spread by this site.

    2.7.2011 16:28 #35

© 2024 AfterDawn Oy

Hosted by
Powered by UpCloud