Alureon (also known as TDSS or TDL-4) is a

trojan Trojan or Trojans may refer to: * Of or from the ancient city of Troy * Trojan language, the language of the historical Trojans Arts and entertainment Music * ''Les Troyens'' ('The Trojans'), an opera by Berlioz, premiered part 1863, part 1890 ...

and

rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exis ...

created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints,

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...

determined that Alureon caused a wave of BSoDs on some 32-bit

Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...

systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s). According to research conducted by Microsoft, Alureon was the second most active

botnet A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...

in the second quarter of 2010.

Description

The Alureon bootkit was first identified around 2007. Personal computers are usually infected when users manually download and install

Trojan Trojan or Trojans may refer to: * Of or from the ancient city of Troy * Trojan language, the language of the historical Trojans Arts and entertainment Music * ''Les Troyens'' ('The Trojans'), an opera by Berlioz, premiered part 1863, part 1890 ...

software. Alureon is known to have been bundled with the

rogue security software Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on ...

, "Security Essentials 2010". When the dropper is executed, it first hijacks the print spooler service (spoolsv.exe) to update the

master boot record A master boot record (MBR) is a special type of boot sector at the very beginning of partitioned computer mass storage devices like fixed disks or removable drives intended for use with IBM PC-compatible systems and beyond. The concept of MBR ...

and execute a modified bootstrap routine. Then it infects low-level system drivers such as those responsible for

PATA Pata or PATA may refer to: Places * Pata, Sulu, a Philippine municipality * Pata, Galanta District, a village in Slovakia * Pata, Central African Republic, a village * Pata village (Samoa), a village in Samoa * Pontrilas Army Training Area, a ...

operations (atapi.sys) to install its

. Once installed, Alureon manipulates the

Windows Registry The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and use ...

to block access to

Windows Task Manager Task Manager, previously known as Windows Task Manager, is a task manager, system monitor, and startup manager included with Microsoft Windows systems. It provides information about computer performance and running software, including name of r ...

Windows Update Windows Update is a Microsoft service for the Windows 9x and Windows NT families of operating system, which automates downloading and installing Microsoft Windows software updates over the Internet. The service delivers software updates for Wind ...

, and the desktop. It also attempts to disable anti-virus software. Alureon has also been known to redirect search engines to commit

click fraud Click, Klick and Klik may refer to: Airlines * Click Airways, a UAE airline * Clickair, a Spanish airline * MexicanaClick, a Mexican airline Art, entertainment, and media Fictional characters * Klick (fictional species), an alien race in the g ...

. Google has taken steps to mitigate this for their users by scanning for malicious activity and warning users in the case of a positive detection. The malware drew considerable public attention when a

software bug A software bug is an error, flaw or fault in the design, development, or operation of computer software that causes it to produce an incorrect or unexpected result, or to behave in unintended ways. The process of finding and correcting bugs i ...

in its code caused some 32-bit Windows systems to crash upon installation of security update MS10-015. The malware was using a

hard-coded Hard coding (also hard-coding or hardcoding) is the software development practice of embedding data directly into the source code of a program or other executable object, as opposed to obtaining the data from external sources or generating it at ...

memory address in the kernel that changed after the installation of the hotfix. Microsoft subsequently modified the hotfix to prevent installation if an Alureon infection is present, The malware author(s) also fixed the bug in the code. In November 2010, the press reported that the rootkit had evolved to the point that it was bypassing the mandatory kernel-mode driver signing requirement of 64-bit editions of

Windows 7 Windows 7 is a major release of the Windows NT operating system developed by Microsoft. It was released to manufacturing on July 22, 2009, and became generally available on October 22, 2009. It is the successor to Windows Vista, released nearly ...

. It did this by subverting the

, which made it particularly resistant on all systems to detection and removal by anti-virus software.

TDL-4

''TDL-4'' is sometimes used synonymously with Alureon and is also the name of the

that runs the botnet. It first appeared in 2008 as TDL-1 being detected by Kaspersky Lab in April 2008. Later version two appeared known as TDL-2 in early 2009. Some time after TDL-2 became known, emerged version three which was titled TDL-3. This led eventually to TDL-4. It was often noted by journalists as "indestructible" in 2011, although it is removable with tools such as

Kaspersky Kaspersky Lab (; Russian: Лаборатория Касперского, tr. ''Laboratoriya Kasperskogo'') is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in th ...

's TDSSKiller. It infects the

of the target machine, making it harder to detect and remove. Major advancements include

encrypt In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...

ing communications, decentralized controls using the

Kad network The Kad network is a peer-to-peer (P2P) network which implements the Kademlia P2P overlay protocol. The majority of users on the Kad Network are also connected to servers on the eDonkey network, and Kad Network clients typically query known node ...

, as well as deleting other

malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...

Removal

While the rootkit is generally able to avoid detection, circumstantial evidence of the infection may be found through examination of network traffic with a

packet analyzer A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or p ...

or inspection of outbound connections with a tool such as

netstat In computing, netstat (''network statistics'') is a command-line network utility that displays network connections for Transmission Control Protocol (both incoming and outgoing), routing tables, and a number of network interface (network interfa ...

. Although existing security software on a computer will occasionally report the rootkit, it often goes undetected. It may be useful to perform an offline scan of the infected system after booting an alternative operating system, such as

WinPE Windows Preinstallation Environment (also known as Windows PE and WinPE) is a lightweight version of Windows used for the deployment of PCs, workstations, and servers, or troubleshooting an operating system while it is offline. It is intended t ...

, as the malware will attempt to prevent security software from updating. The "FixMbr" command of the

Windows Recovery Console The Recovery Console is a feature of the Windows 2000, Windows XP and Windows Server 2003 operating systems. It provides the means for administrators to perform a limited range of tasks using a command-line interface. Its primary function is to ...

and manual replacement of "atapi.sys" could possibly be required to disable the rootkit functionality before anti-virus tools are able to find and clean an infection. Various companies have created standalone tools which attempt to remove Alureon. Two popular tools are Microsof
Windows Defender Offline
and Kaspersk
TDSSKiller

Arrests

On November 9, 2011, the United States Attorney for the Southern District of New York announced charges against six

Estonia Estonia, formally the Republic of Estonia, is a country by the Baltic Sea in Northern Europe. It is bordered to the north by the Gulf of Finland across from Finland, to the west by the sea across from Sweden, to the south by Latvia, a ...

n nationals who were arrested by Estonian authorities and one

Russia Russia (, , ), or the Russian Federation, is a List of transcontinental countries, transcontinental country spanning Eastern Europe and North Asia, Northern Asia. It is the List of countries and dependencies by area, largest country in the ...

n national, in conjunction with

Operation Ghost Click DNSChanger is a DNS hijacking Trojan. The work of an Estonian company known as Rove Digital, the malware-infected computers by modifying a computer's DNS entries to point toward its own rogue name servers, which then injected its own advertising ...

. As of February 6, 2012, two of these individuals were extradited to New York for running a sophisticated operation that used Alureon to infect millions of computers.

References

{{Reflist

External links