Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Notorious rootkit gets self-propagation powers


  • Please log in to reply
1 reply to this topic

#1 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:08:56 AM

Posted 03 June 2011 - 09:37 PM

http://www.theregister.co.uk/2011/06/03/tdss_self_propagation_powers/


A new version of the TDSS rootkit, which also goes by the names Alureon and TDL4, is able to infect new machines using two separate methods, Kaspersky Lab researcher Sergey Golovanov wrote in a blog post published on Friday. The first is by infecting removable media drives with a file that gets executed each time a computer connects to the device. The technique has been around for years and has been used by plenty of other computer worms, including the one known as Conficker. Other than using files with titles such as myporno.avi.lnk and pornmovs.lnk, there's nothing particularly unusual about the way TDSS goes about doing this.

The second method is to spread over local area networks by creating a rogue DHCP server and waiting for attached machines to request an IP address. When the malware finds a request, it responds with a valid address on the LAN and an address to a malicious DNS server under the control of the rootkit authors. The DNS server then redirects the targeted machine to malicious webpages.

"After these manipulations, whenever the user tries to visit any web page, s/he will be redirected to the malicious server and prompted to update his/her web browser," Golovanov wrote. "The user will not be able to visit websites until sh/he agrees to install an 'update.'"


TDSS loader now got "legs" http://www.securelist.com/en/blog/208188095/TDSS_loader_now_got_legs

Posted Image
Screenshot of the malicious site from which the worm spreads

BC AdBot (Login to Remove)

 


#2 jdbaker82

jdbaker82

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 03 June 2011 - 10:49 PM

The more money these people keep getting the worse this stuff is going to get and I know they are making millions because I visit at least 1 client a week out of a very small sample size that falls for these random rogues.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users