The group behind the TDSS rootkit has developed a new method for getting the pernicious malware onto as many machines as possible: a worm-like, self-propagating loader. The new mechanism has the ability not only to install new copies of the rootkit on PCs, but also set up its own DHCP server on a network and force machines to connect to a malicious remote DNS server.
TDSS, which also is known by a variety of other names, including TDL4 and Alureon, has been infecting machines for about three years now, but this is the first time that researchers have discovered a variant that is accompanied by its own propagation method. The rootkit now can spread either through infection by removable drives or over network connections, according to an analysis by Kaspersky Lab researcher Sergey Golovanov.
The infection routine when the rootkit is installed via a thumb drive is a typical one, but once it’s on a network, it’s a different story.
“When spreading over the local area network, the worm uses the following
technique. When infecting a computer, the worm checks if a DHCP server
is used on the network. If the victim computer is located on a network
which uses the DHCP protocol, the worm starts scanning the network to
see if there are any available IP addresses on it. Next, the worm
launches its own DHCP server and starts listening to the network. If it
detects a DHCP request from a computer on the local network, the worm
tries to be the first to respond to it,” Golovanov said in his analysis.
In the response, the TDSS rootkit will send the machine an IP address from its DHCP pool, along with the details of the attackers’ DNS server. Once that’s done, the user of the infected machine won’t be able to browse the Web until he downloads another piece of malware, which is presented as a required browser update.
Other recently discovered versions of TDSS or Alureon have been found with some additional interesting behaviors, as well. Microsoft researchers came across a variant of the rootkit last month that was using a brute-force technique in order to decrypt some encrypted components of its own code.