TDSS Rootkit boasts new DHCP server

Malcontent · Jun 3, 2011

http://www.theregister.co.uk/2011/06/03/tdss_self_propagation_powers/

A new version of the TDSS rootkit, which also goes by the names Alureon and TDL4, is able to infect new machines using two separate methods,

The second method is to spread over local area networks by creating a rogue DHCP server and waiting for attached machines to request an IP address. When the malware finds a request, it responds with a valid address on the LAN and an address to a malicious DNS server under the control of the rootkit authors. The DNS server then redirects the targeted machine to malicious webpages.

“After these manipulations, whenever the user tries to visit any web page, s/he will be redirected to the malicious server and prompted to update his/her web browser,” Golovanov wrote. “The user will not be able to visit websites until sh/he agrees to install an 'update.'”

Late last year, TDSS acquired the ability to infect 64-bit versions of Microsoft Windows by bypassing the OS's kernel mode code signing policy. Researchers at security firm Prevx have said it's the most advanced rootkit ever seen in the wild. It is used as a backdoor to install and update keyloggers and other types of malware on infected machines, and once installed it's undetectable by most antimalware programs.
Click to expand...

J_L · Jun 3, 2011

Re: TDSS boasts new DHCP server

Wow, it's getting even more advanced. Just cleaning your system won't be enough anymore.

Rmus · Jun 4, 2011

Doesn't the article imply that you have to be on an already infected network?

From another article:

TDSS loader now got “legs”
http://www.securelist.com/en/blog/208188095/TDSS_loader_now_got_legs

When spreading over the local area network, the worm uses the following technique...

If the victim computer is located on a network which uses the DHCP protocol, the worm starts scanning the network...
Click to expand...

Searching_ _ _ · Jun 4, 2011

Is it possible to perform a silent update that wouldn't alert the user to the install?
Is Java, Flash or Ajax involved at all?

Rmus · Jun 4, 2011

Searching_ _ _ said:

Is it possible to perform a silent update that wouldn't alert the user to the install?
Click to expand...

One should have security in place to alert if something like that happens.

I've simulated such exploits by using Adobe Acrobat and Javacheck updaters:

Actually, updaters shouldn't even get this far if you have a firewall that monitors outbound connections:

Is Java, Flash or Ajax involved at all?
Click to expand...

Java, Flash, etc, exploits can be blocked from installing malware executables with security in place to prevent anything happening without user permission:

regards,

-rich

Log in or Sign up

TDSS Rootkit boasts new DHCP server

Malcontent Registered Member

J_L Registered Member

Rmus Exploit Analyst

Searching_ _ _ Registered Member

Rmus Exploit Analyst

Log in or Sign up

TDSS Rootkit boasts new DHCP server

Malcontent Registered Member

J_L Registered Member

Rmus Exploit Analyst

Searching_ _ _ Registered Member

Rmus Exploit Analyst

Useful Searches