14 DAY TRIAL // Security researchers warn that the TDSS rootkit has been updated with a self-propagation component capable of infecting removable media and performing DNS hijacking attacks.
The TDSS family of rootkits, which is composed of several distinct versions and a lot of variants, dates back to 2008 and is one of the most sophisticated pieces of malware around.
Its fourth version, also known as TDL4, is one of the very few rootkits capable of successfully infecting 64-bit versions of Windows Vista and 7, which normally require digitally signed drivers.
The rootkit also stands apart from the crowd because it is able to infect the master boot record (MBR), a portion of code executed before the actual operating system. This gives the malware the ability to run malicious instructions before any antivirus program has a chance to kick in.
According to security researchers from Kaspersky Lab, TDSS just became even more dangerous, because now it is able to spread itself. The company's malware analysts have noticed that new variants of TDSS drop a component specifically designed to infect other computers.
Kaspersky has named this component Net-Worm.Win32.Rorpian and points out that it uses two propagation methods. One is a traditional USB infection routine, where any removable storage device plugged into the computer's USB ports is being rigged with malware.
"When spreading via removable media, the worm creates the files setup.lnk, myporno.avi.lnk and pornmovs.lnk in addition to autorun.inf. These files are shortcuts to the file rundll32.exe, with parameters pointing to the worm’s DLL. This is a standard technique used by many malicious programs," explains Kaspersky's Sergey Golovanov.
The second routine is not new either, but it is more uncommon. The malware determines several aspects about the local network's topology, if a local DHCP server is used and if any other computers are active on the network.
If it finds one, the malware executes a man-in-the-middle attack by intercepting its DHCP requests and responding with rogue settings. The goal is to trick the target computer into using a DNS server controlled by the attackers.
Once this is done, when the user tries to visit any webpage, they will see a fake browser alert that asks them to install an update before continuing. Of course this update is actually an installer for the rootkit.
"In other words, Net-Worm.Win32.Rorpian, the loader of TDSS, one of today’s most advanced and sophisticated malicious programs, exploits the computer’s most dangerous vulnerability of all – the user," Mr. Golovanov concludes.