Rootkits fight for control of compromised PCs

Increasingly, malware authors target rivals to keep compromised systems completely under their control.

In one interesting case, reported by The Register, an author of the TDL 3 rootkit decided to make some extra cash by selling the source code of the rootkit. The Russian developer sold the source of one version of the rootkit, while keeping another.

From the rootkit source sale, another called ZeroAccess allegedly rose, with added ClickFraud modules. A second ZeroAccess rootkit also added the ability to target and remove the TDL 3 rootkit using a specific module called anti-TDL.

"The original author of the TDL3 rootkit made two versions of TDL3. He kept the second version of the rootkit code for himself and sold the first version to the guys behind ZeroAccess," Jacques Erasmus of Webroot told The Register.

"TDL3 Authors sold a version of TDL3 sourcecode to ZeroAccess authors. Now ZeroAccess guys are double crossing the TDL3 author by uninstalling the TDL rootkit."

Such measures are becoming more common. TDL-4, which received considerable media attention recently, has the built in ability to remove a host of rival malware, such as ZeuS.

Written by: James Delahunty @ 10 Aug 2011 18:49

s_c47

Uh oh. This can't be good.

Someone told me once that theres a right and wrong, and that punishment would come to those
who dare to cross the line.
But it must not be true for jerk-offs like you.
Maybe it takes longer to catch a total a__hole.

16.8.2011 12:08 #1

Mez

s_c47, why, unless you make root kits. If you have someone in control, why do you care which hacker has control of your computer or someone elses?

17.8.2011 16:10 #2

s_c47

I don't. But someone selling their rootkits to other people is bad news. Do I really have to explain this to you?

18.8.2011 00:05 #3

Mez

Maybe I have become callus that it is common for computers to be attacked with root kits or some other even more insidious method of attack. I say insidious because there is a wide array of root-kit detectors, while some bot nets use new nearly undetectable methods. I now have a spare C: squeaky clean loaded with a dozen or so malware detectors that I can use when I suspect foul play but nothing turns up in scans. Because these attacks are �business as usual�, I browse from a sandboxed browser so any virus attack will be contained inside the sand box. If I suspect foul play the sandbox is deleted. Those Spanish guys that ran a 6 figure bot net had no technical expertise. They just picked up what they needed on several hacker sites and used the tools very effectively.

AD put out an article stating about 80% of the new malware can download files of its choosing. I think you are a bit na�ve thinking computing is much safer than it really is.

18.8.2011 10:18 #4

s_c47

Originally posted by Mez: I think you are a bit na�ve thinking computing is much safer than it really is. I never said anything of the like. I can't think of a good analogy for you, but you have a rootkit author selling the source code of one to another rootkit/malware 'company'! This isn't good for anyone.

And yes, I do care 'who has control of my computer'....me! I don't want any of this ish on my computer. But as you pointed out, I may not have a choice. But I have had no problems thus far.

I think you need to go back and reread the article. I think you got confused along the way.

18.8.2011 12:21 #5

Mez

If you were paying attention to all the scary articles published over the last year or 2 this wouldn't add any new danger to anything.

I understood the article and what I said was there was at least one AD article that I remember where non programmers can cobble together a bot net from hacker web sites and command a bot net of hundreds of thousands of computers. That to me was much much scarier than this. At least with the root kit sales the person using the root kit must be a programmer. It is kind of being over whelmed that you can buy throwing knifes which requires skill to use but are not upset that you can buy a gun or handgrenade that require little skill to use, on the street.

I never said you don't care who has control of your computer. You do have a choice. I suspect you do not frequent sites that are problems. My kids must go to the wrong places. I suspect facebook might be one. Maybe it was kiddy game sites. I do know the home computer was getting several viruses a week with McCaffy running. My daughter hogs the computer and spends most of her time on facebook. I have a 12 yr old that still gose on kiddy sites. That is a great place to infect. Kids have no fear or sense. I also have a 21 yr old so who knows who was getting the computer infected.

As a tip, install sandboxie and browse under it. It is a free utility. I blow away the sandbox every week or so on the family computer. Scans after the delete are clean. I use several different scanners that may be better than macaffy. 2 will detect root kits. These have to be done manually so it is a pain and many require rebooting. I now scan less than once a month because I think the routine is safe.

Because of the sandboxing effect, rootkits probably do not work. The root kits probably load themselves into where updates go and are applied at start up. The effect puts them into the wrong place so they do not get executed when they need to. They get executed when Sandboxie starts up and you would need permission to even try to execute the package. Even if you OK the update (stupid!) the root kit missed its window of opportunity, your OS is already loaded.

Peace!

18.8.2011 12:56 #6

AfterDawn: News