Alureon

Last updated

Alureon (also known as TDSS or TDL-4) is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. [1] Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, [2] triggered these crashes by breaking assumptions made by the malware author(s). [3] [4]

Contents

According to research conducted by Microsoft, Alureon was the second most active botnet in the second quarter of 2010. [5]

Description

The Alureon bootkit was first identified around 2007. [1] Personal computers are usually infected when users manually download and install Trojan software. Alureon is known to have been bundled with the rogue security software, "Security Essentials 2010". [2] When the dropper is executed, it first hijacks the print spooler service (spoolsv.exe) to update the master boot record and execute a modified bootstrap routine. Then it infects low-level system drivers such as those responsible for PATA operations (atapi.sys) to install its rootkit.

Once installed, Alureon manipulates the Windows Registry to block access to Windows Task Manager, Windows Update, and the desktop. It also attempts to disable anti-virus software. Alureon has also been known to redirect search engines to commit click fraud. Google has taken steps to mitigate this for their users by scanning for malicious activity and warning users in the case of a positive detection. [6]

The malware drew considerable public attention when a software bug in its code caused some 32-bit Windows systems to crash upon installation of security update MS10-015. [2] The malware was using a hard-coded memory address in the kernel that changed after the installation of the hotfix. Microsoft subsequently modified the hotfix to prevent installation if an Alureon infection is present, [7] The malware author(s) also fixed the bug in the code.

In November 2010, the press reported that the rootkit had evolved to the point that it was bypassing the mandatory kernel-mode driver signing requirement of 64-bit editions of Windows 7. It did this by subverting the master boot record, [8] which made it particularly resistant on all systems to detection and removal by anti-virus software.

TDL-4

TDL-4 is sometimes used synonymously with Alureon and is also the name of the rootkit that runs the botnet.

It first appeared in 2008 as TDL-1 being detected by Kaspersky Lab in April 2008. Later version two appeared known as TDL-2 in early 2009. Some time after TDL-2 became known, emerged version three which was titled TDL-3. [9] This led eventually to TDL-4. [10]

It was often noted by journalists as "indestructible" in 2011, although it is removable with tools such as Kaspersky's TDSSKiller. [11] It infects the master boot record of the target machine, making it harder to detect and remove. Major advancements include encrypting communications, decentralized controls using the Kad network, as well as deleting other malware. [12] [13]

Removal

While the rootkit is generally able to avoid detection, circumstantial evidence of the infection may be found through examination of network traffic with a packet analyzer or inspection of outbound connections with a tool such as netstat. Although existing security software on a computer will occasionally report the rootkit, it often goes undetected. It may be useful to perform an offline scan of the infected system after booting an alternative operating system, such as WinPE, as the malware will attempt to prevent security software from updating. The "FixMbr" command of the Windows Recovery Console and manual replacement of "atapi.sys" could possibly be required to disable the rootkit functionality before anti-virus tools are able to find and clean an infection.[ citation needed ]

Various companies have created standalone tools which attempt to remove Alureon. Two popular tools are Microsoft Windows Defender Offline and Kaspersky TDSSKiller.

Arrests

On November 9, 2011, the United States Attorney for the Southern District of New York announced charges against six Estonian nationals who were arrested by Estonian authorities and one Russian national, in conjunction with Operation Ghost Click. [14] As of February 6, 2012, two of these individuals were extradited to New York for running a sophisticated operation that used Alureon to infect millions of computers. [15]

See also

Related Research Articles

<span class="mw-page-title-main">Malware</span> Malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Rootkit</span> Software designed to enable access to unauthorized locations in a computer

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

Bagle was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.

<span class="mw-page-title-main">ESET NOD32</span> Computer protection software

ESET NOD32 Antivirus, commonly known as NOD32, is an antivirus software package made by the Slovak company ESET. ESET NOD32 Antivirus is sold in two editions, Home Edition and Business Edition. The Business Edition packages add ESET Remote Administrator allowing for server deployment and management, mirroring of threat signature database updates and the ability to install on Microsoft Windows Server operating systems.

The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

<span class="mw-page-title-main">Rogue security software</span> Form of malicious software

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

<span class="mw-page-title-main">Kaspersky Anti-Virus</span> Antivirus solution

Kaspersky Anti-Virus is a proprietary antivirus program developed by Kaspersky Lab. It is designed to protect users from malware and is primarily designed for computers running Microsoft Windows and macOS, although a version for Linux is available for business consumers.

<span class="mw-page-title-main">Storm Worm</span> Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can perform man-in-the-browser attacks.

<span class="mw-page-title-main">Storm botnet</span> Computer botnet

The Storm botnet or Storm worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

<span class="mw-page-title-main">Microsoft Security Essentials</span> Free antivirus product produced by Microsoft for the Windows operating system

Microsoft Security Essentials (MSE) is an antivirus software (AV) product that provides protection against different types of malicious software, such as computer viruses, spyware, rootkits, and Trojan horses. Prior to version 4.5, MSE ran on Windows XP, Windows Vista, and Windows 7, but not on Windows 8 and later versions, which have built-in AV components known as Windows Defender. MSE 4.5 and later versions do not run on Windows XP. The license agreement allows home users and small businesses to install and use the product free of charge. It replaces Windows Live OneCare, a discontinued commercial subscription-based AV service, and the free Windows Defender, which only protected users from spyware until Windows 8.

<span class="mw-page-title-main">Conficker</span> Computer worm

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 SQL Slammer worm.

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks. Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

Flame, also known as Flamer, sKyWIper, and Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is used for targeted cyber espionage in Middle Eastern countries.

ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.

Virut is a cybercrime malware botnet, operating at least since 2006, and one of the major botnets and malware distributors on the Internet. In January 2013, its operations were disrupted by the Polish organization Naukowa i Akademicka Sieć Komputerowa.

References

  1. 1 2 "Win32_Alureon threat description - Microsoft Security Intelligence". microsoft.com. March 2007. Archived from the original on 10 February 2010. Retrieved 2010-02-18.
  2. 1 2 3 "Microsoft Security Bulletin MS10-015 - Important". Microsoft. 2010-03-17. Archived from the original on 5 June 2011. Retrieved 2011-04-25.
  3. "MS10-015 Restart Issues Are the Result of a Rootkit Infection (threatpost)". Archived from the original on 2012-10-21. Retrieved 2010-02-19.
  4. "More information about Alureon". symantec.com.
  5. "Most Active Botnet Families in 2Q10" (PDF). Microsoft. p. 24. Retrieved 19 August 2015.
  6. Berkow, Jameson (2011-07-20). "Google warns of massive malware outbreak". Financial Post . Retrieved 2011-11-25.
  7. "Update - Restart Issues After Installing MS10-015 and the Alureon Rootkit". Microsoft Security Response Center. 2010-02-17.
  8. Goodin, Dan (2010-11-16). "World's Most Advanced Rootkit Penetrates 64-bit Windows". The Register . Archived from the original on 21 November 2010. Retrieved 2010-11-22.
  9. "TDSS". Securelist by Kaspersky.
  10. Golovanov, Sergey; Igor Soumenkov (27 June 2011). "TDL4 – Top Bot". Securelist by Kaspersky. Securelist. Retrieved 19 May 2020.
  11. Herkanaidu, Ram (4 July 2011). "TDL-4 Indestructible or not?". Securelist by Kaspersky. securelist. Retrieved 19 May 2020.
  12. Reisinger, Don (30 June 2011). "TDL-4: The 'indestructible' botnet? | The Digital Home - CNET News". CNET. Retrieved 15 October 2011.
  13. "'Indestructible' TDL-4 Botnet?". Techno Globes. 2 July 2011. Archived from the original on 12 October 2011. Retrieved 16 March 2016.{{cite web}}: CS1 maint: unfit URL (link)
  14. "Operation Ghost Click:International Cyber Ring That Infected Millions of Computers Dismantled". FBI.gov. 9 November 2011. Retrieved 14 August 2015.
  15. Finkle, Jim (5 July 2015). "Virus could black out nearly 250,000 PCs". Reuters. Retrieved 14 August 2015.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.