Alureon Rootkit Morphs Again, Adds Steganography

The Alureon rootkit has become not just a major headache for its victims, with its insidious infection routines and persistence once on a machine. But it also has proved to be a challenge for researchers engaged in trying to identify new versions and unwind its new tactics and techniques. The latest hurdle thrown up by Alureon is the use of steganography to hide configuration files to update infected machines with new instructions.

Alureon SteganographyThe Alureon rootkit has become not just a major headache for its victims, with its insidious infection routines and persistence once on a machine. But it also has proved to be a challenge for researchers engaged in trying to identify new versions and unwind its new tactics and techniques. The latest hurdle thrown up by Alureon is the use of steganography to hide configuration files to update infected machines with new instructions.

The steganography usage has shown up in a specific version of Alureon that often is downloaded by a Trojan and then installed on the victim’s machine. The malware has a new function that goes out to a remote Web site and downloads a new component called “com32”, which, once decrypted, presents a list of URLs hosted on LiveJournal and WordPress. Each of the pages simply hosts a series of image files, which look to be harmless at first glance. But when researchers at Microsoft looked deeper into the code that is responsible for retrieving the image files, they discovered that the code looks specifically for some IMG HTML tags.

The rootkit then tries to pull down the JPEGs, and along with the image data comes a long string of characters that looks to be a password of some kind, according to the analysis by Scott Molenkamp of Microsoft’s Malware Protection Center.

“After further investigation, I was able to determine that embedded within each of the JPGs was a complete configuration file using steganography. One of the critical sections of the configuration file contains the list of command and control servers. The purpose of the publically hosted data was revealed — it’s there to provide a layer of redundancy and defense against existing domains that might become unavailable. In the event that no command and control server could be contacted, Alureon would then seek to retrieve an updated configuration file from these ‘backup’ locations,” Molenkamp wrote.

The images being used to hide the configuration file look to be completely random, unless the attacker behind Alureon is a health nut who loves his grandma and “Tropic Thunder.” The JPEGs include a picture of an elderly woman, a bowl of something sort of health-food looking and…Tom Cruise.

Alureon, which also is known as TDSS or TDL4, has been a serious problem for a couple of years now. The addition of a steganography routine is just the latest in a line of new features added to the malware in the last few months. Earlier this year researchers came across a version of Alureon that was using an older brute-force technique in order to decrypt some components of its own code that are encrypted. And in June another variant appeared that had its own self-replicating loader which allowed Alureon to spread via network shares once it’s on a victim’s machine.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.