back to article Notorious rootkit gets self-propagation powers

One of the most notorious rootkits has just acquired a self-propagating mechanism that could allow it to spread to new victims, a security researcher has warned. A new version of the TDSS rootkit, which also goes by the names Alureon and TDL4, is able to infect new machines using two separate methods, Kaspersky Lab researcher …


This topic is closed for new posts.
  1. Joe User

    I saw this one last week

    One of my co-workers got this crap on his PC last week. The rogue DHCP server drove me nuts until I figured out what was happening and shut down the infected PC. Bastards!

  2. amanfromMars 1 Silver badge

    Ye Gods, Clarence .... there is a GOD in the House, but not as you know it in IT

    "The second method is to spread over local area networks by creating a rogue DHCP server and waiting for attached machines to request an IP address. When the malware finds a request, it responds with a valid address on the LAN and an address to a malicious DNS server under the control of the rootkit authors. The DNS server then redirects the targeted machine to malicious webpages." ...... That is the covert, back door, underground approach to executing renegade regal rogue code. For the boldly going, brash, gate-crashing version with full post modern transparency, there is the zerodaily front door bell ring suite of options with many a simpler and more complicated and sophisticated hammer to break open the nut, as was earlier shared and Registered ..... "Just out of a matter of professional and personal interest, who is the prime contractor/supplier of virtual and/or virtuous armaments to the UK? And what is their email address? Any idea, or is that something they have to make up yet and then hide away lest anyone contact them and send them a carefully crafted little package/bit packet which renders their services and systems exposed and fully compromised and practically useless/virtually incompetent?

    It is hard not to think of anything which may be presently stood up and drawing any funding at all, being nothing other than another model of yore gravy train trying to protect old establishments and systems rather than ensuring that new ones are failsafe created and future proofed against SMART IP Promotions/Programs/Pogroms/Pirates/Privateers." .... which has no reply, ergo is not false, and is UKGBNI open to/for Virtual Attack and/or Provision of Future Lead Business with Real SMART Shenanigans?

    Round Table Great Games stuff, with definitely no nonsense? Imagine it's true, ..... what a to do, eh?

  3. Tasogare

    Well, crap.

    I think our network might have this one -- I recognize the filenames. Hopefully it's not the dhcp-equipped version.

  4. Anonymous Coward

    Not TDSS

    If one reads the article by Kaspersky, it turns out the article is actually about a different malware called Net-Worm.Win32.Rorpian and not about TDSS at all.

    The worm is used to distribute TDSS, but the spreading mechanism described is that of Rorpian, not TDSS.

    1. Anonymous Coward
      Anonymous Coward

      Nice to know.

      But could some share what anti-malware programs will detect and clean this nuisance?

      1. Al_21

        At least one...

        Kaspersky - as they're the ones who published the research.

        Not sure about any others.

      2. Anonymous Coward
        Anonymous Coward


        Does the job, it's not free but you can do a 30 trial which will clean up the infection for you. I often have difficulty detecting TDSS with AV apps as a malicious disk driver is often installed to disguise TDSS and other crap from the scanners.

  5. Johnny Canuck

    This is not a title

    To get rid of this malware I do several things. First, I run Cleanup to clean out temp files. Next I run TDSSKiller from Kaspersky. Then I run combofix, then MalwareBytes to finish.

    1. Tigra 07
      Thumb Up

      Re Johnny

      Either you're very prepared or this thing can't be killed with 1 program alone, but several instead.

      Very scary.

      We just had something at home that destroyed my moms bootmngr - oblitterating their pc and tried to infect my laptop through the network.

      Suffice to say that winpatrol stopped it.

      Luckily im paranoid and have combined winpatrol, avg, spybot and malwarebytes.

      1. richard 7

        He's right

        This thing is a pig to get rid off even before this update. Just one tool alone wont get it and it has a horrible habbit of comming back. Specially if you use fash/flash scans. Full scans only for this one.



    The same PrevX who deliberately and covertly infected 22,000 PCs with malware... helped by the BBC's Spencer Kelly... and a bunch of Ukrainian criminals... using TV licence payer's cash to grease their palms?

    The same PrevX who can't explain how they managed to 'uninstall' the same infection from all of the machines they infected, or compensated those they couldn't recover?

    So does this mean there's new 'rootkit/worms' exposé episode of BBC Click in production?

  7. FrankAlphaXII
    Black Helicopters

    If it is part of some BBC Click expose..

    Im sending BBC (and whatever hack reporter it was) a huge bill for the 6 and a half hours of time lost in the middle of the day I had to spend cleaning this thing off my laptop two weeks ago.

    And if they dont feel like paying out, the reporter in question had better hope they don't set foot in the US or a country that will extradite to the US. Im dead serious about this, I was logged onto the NIPRnet (Army Knowledge Online specifically) when my computer went down. When you're connected to the NIPRnet, SIPRnet, or JWICS, you're a US Government information system. And last time I checked, the Army, Department of Defense, and FBI tend to frown upon bovine feces like this.

    Anyway, if anyone else has to deal with this, it really really sucks. The rootkit itsself had to be cleaned with 4 programs, it installed a Trojan that was difficult to detect as well, and required a fifth program to detect and remove. Of the commercial or publicly available tools out there, only Kaspersky managed to detect it, and they're the only ones who had a removal tool that worked.

    It made the mistake of corrupting a driver that I could override driver signature enforcement on, so fixing it was relatively simple when I isolated what it was, but it was a real pain. I'd be more than happy to inflict some back if it indeed is some sort of stupid "documentary".

    1. Anonymous Coward


      Thanks for the BDA, Frank. Practice OPSEC.

    2. amanfromMars 1 Silver badge

      "'Will you walk into my parlor?' said the Spider to the Fly."

      "And if they dont feel like paying out, the reporter in question had better hope they don't set foot in the US or a country that will extradite to the US. Im dead serious about this, I was logged onto the NIPRnet (Army Knowledge Online specifically) when my computer went down. When you're connected to the NIPRnet, SIPRnet, or JWICS, you're a US Government information system. And last time I checked, the Army, Department of Defense, and FBI tend to frown upon bovine feces like this." .... FrankAlphaXII Posted Sunday 5th June 2011 07:58 GMT

      There's the problem child identified, FrankAlphaXII, by your very goodself. A Dynamic Network Application with Sub-Prime Plugins/Input Values. Whatever else can you expect whenever you facilitate such low level feeder intelligence access to high level gathering seed information systems ...... "When you're connected to the NIPRnet, SIPRnet, or JWICS, you're a US Government information system."

      And quite why the Army, Department of Defense, and FBI would provide such a crapper of a system whenever they, last time I checked, tend to frown upon bovine feces like this, tells you that their Base Algorithm for Security and Defense with an Advanced Intelligence Network Infrastructure, is shot to pieces/crack hacked/as watertight as a sieve and would need to be completely remodelled .... a new system built from the ground up, for presently is the no defense against the zeroday attack parameter.

      Without such a radical move, which in other words would be a shutting down and dismantling of Internal Bullshit Management systems, is more and more deeply pervasive catastrophic grief, inevitable and unstoppable.

      Ps. That information and intelligence is free. And you are heartily encouraged to share it widely for there is no cost involved/no fee charged. But the info and intel needed to build ... Requisite Desirable FailSafe Secured Dynamic Systems .... is MkUltraSensitive Proprietary Private Pirate Intellectual Property which is not for Sale and Transfer but can easily be Bought on a License as Expensive or as Cheap as would be Relative to One's Needs, with All Due Regard and Consideration of Universal Supply to Meet Global Demand in ITs Future Feeds and Source Seeds.

      And very conveniently, is St Moritz hosting a party this week, and you will surely find out a lot more about everything associated with such Novel Development Applications, and which is not classified and known only on a strictly need to know basis.

      And the reason for that strictly need to know secrecy thing is beautifully summed up by Jack Nicholson, who said it best in reply whenever he was asked for the truth in the movie "A Few Good Men" ...... "You can't handle the truth." ...... for it is the destroyer of all evil and a fearsome weapon to behold and wield in hearts and minds and hands which are unprepared for its Awesome Invisible Might.

  8. Anonymous Coward

    Oh - I'm disappointed...

    ...I thought this was going to be about Sony!

  9. Joe User

    Clean-up procedure

    1) RKill to shut down malicious processes (as best it can).

    RogueKiller is another good process-stopper (note: the web page is in French).

    2) Malwarebytes' Anti-Malware to remove the crud from the PC.

    3) TDSSKiller to remove the rootkit.

  10. sumguy99

    Solution: Windows 98

    I just set my DNS to That way it doesn't matter if there's a rogue DHCP server talking to my machines.

    And oh, did I mention I'm probably not vulnerable to these exploits, worms or this rootkit anyways? Why? Because I'm running Windows 98 (second edition), fortified with KernelEx win-NT API enhancements.

    Connecting any NT-based OS to the internet = fail. Lookup Internet Survival Time.

    1. Anonymous Coward


      Never been a wintel user myself but there's something in your setup that just sets the mind boggling. Windows 98? Wasn't that one of the DOS-based contraptions? I want to know more!

  11. No. Really!?

    Port 53

    Kaspersky doesn't mention if TDSS is making the rogue outbound DNS connection on port 53.

    If so then firewall rules whitelisting DNS servers will interrupt the dropper mechanism.

    Though I wouldn't be surprised if this has been anticipated and they are using 80 like everything else that doesn't want to be filtered.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021