Alureon (also known as TDSS or TDL-4) is a

trojan Trojan or Trojans may refer to: * Of or from the ancient city of Troy * Trojan language, the language of the historical Trojans Arts and entertainment Music * ''Les Troyens'' ('The Trojans'), an opera by Berlioz, premiered part 1863, part 189 ...

and

rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exis ...

created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints,

Microsoft Microsoft Corporation is an American multinational corporation, multinational technology company, technology corporation producing Software, computer software, consumer electronics, personal computers, and related services headquartered at th ...

determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s). According to research conducted by Microsoft, Alureon was the second most active

botnet A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its co ...

in the second quarter of 2010.

Description

The Alureon bootkit was first identified around 2007. Personal computers are usually infected when users manually download and install

Trojan Trojan or Trojans may refer to: * Of or from the ancient city of Troy * Trojan language, the language of the historical Trojans Arts and entertainment Music * ''Les Troyens'' ('The Trojans'), an opera by Berlioz, premiered part 1863, part 189 ...

software. Alureon is known to have been bundled with the

rogue security software Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on ...

, "Security Essentials 2010". When the dropper is executed, it first hijacks the print spooler service (spoolsv.exe) to update the

master boot record A master boot record (MBR) is a special type of boot sector at the very beginning of partitioned computer mass storage devices like fixed disks or removable drives intended for use with IBM PC-compatible systems and beyond. The concept of MB ...

and execute a modified bootstrap routine. Then it infects low-level system drivers such as those responsible for

PATA Pata or PATA may refer to: Places * Pata, Sulu, a Philippine municipality * Pata, Galanta District, a village in Slovakia * Pata, Central African Republic, a village * Pata village (Samoa), a village in Samoa * Pontrilas Army Training Area, a Bri ...

operations (atapi.sys) to install its

. Once installed, Alureon manipulates the

Windows Registry The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and u ...

to block access to

Windows Task Manager Task Manager, previously known as Windows Task Manager, is a task manager, system monitor, and startup manager included with Microsoft Windows systems. It provides information about computer performance and running software, including name of ru ...

Windows Update Windows Update is a Microsoft service for the Windows 9x and Windows NT families of operating system, which automates downloading and installing Microsoft Windows software updates over the Internet. The service delivers software updates for Wind ...

, and the desktop. It also attempts to disable anti-virus software. Alureon has also been known to redirect search engines to commit

click fraud Click, Klick and Klik may refer to: Airlines * Click Airways, a UAE airline * Clickair, a Spanish airline * MexicanaClick, a Mexican airline Art, entertainment, and media Fictional characters * Klick (fictional species), an alien race in th ...

. Google has taken steps to mitigate this for their users by scanning for malicious activity and warning users in the case of a positive detection. The malware drew considerable public attention when a software bug in its code caused some 32-bit Windows systems to crash upon installation of security update MS10-015. The malware was using a

hard-coded Hard coding (also hard-coding or hardcoding) is the software development practice of embedding data directly into the source code of a program or other executable object, as opposed to obtaining the data from external sources or generating it at ...

memory address in the kernel that changed after the installation of the hotfix. Microsoft subsequently modified the hotfix to prevent installation if an Alureon infection is present, The malware author(s) also fixed the bug in the code. In November 2010, the press reported that the rootkit had evolved to the point that it was bypassing the mandatory kernel-mode driver signing requirement of 64-bit editions of

Windows 7 Windows 7 is a major release of the Windows NT operating system developed by Microsoft. It was released to manufacturing on July 22, 2009, and became generally available on October 22, 2009. It is the successor to Windows Vista, released nearl ...

. It did this by subverting the

, which made it particularly resistant on all systems to detection and removal by anti-virus software.

TDL-4

''TDL-4'' is sometimes used synonymously with Alureon and is also the name of the

that runs the botnet. It first appeared in 2008 as TDL-1 being detected by Kaspersky Lab in April 2008. Later version two appeared known as TDL-2 in early 2009. Some time after TDL-2 became known, emerged version three which was titled TDL-3. This led eventually to TDL-4. It was often noted by journalists as "indestructible" in 2011, although it is removable with tools such as Kaspersky's TDSSKiller. It infects the

of the target machine, making it harder to detect and remove. Major advancements include

encrypt In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...

ing communications, decentralized controls using the

Kad network The Kad network is a peer-to-peer (P2P) network which implements the Kademlia P2P overlay protocol. The majority of users on the Kad Network are also connected to servers on the eDonkey network, and Kad Network clients typically query known nod ...

, as well as deleting other

malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, de ...

Removal

While the rootkit is generally able to avoid detection, circumstantial evidence of the infection may be found through examination of network traffic with a

packet analyzer A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or ...

or inspection of outbound connections with a tool such as

netstat In computing, netstat (''network statistics'') is a command-line network utility that displays network connections for Transmission Control Protocol (both incoming and outgoing), routing tables, and a number of network interface (network interf ...

. Although existing security software on a computer will occasionally report the rootkit, it often goes undetected. It may be useful to perform an offline scan of the infected system after booting an alternative operating system, such as WinPE, as the malware will attempt to prevent security software from updating. The "FixMbr" command of the Windows Recovery Console and manual replacement of "atapi.sys" could possibly be required to disable the rootkit functionality before anti-virus tools are able to find and clean an infection. Various companies have created standalone tools which attempt to remove Alureon. Two popular tools are Microsof
Windows Defender Offline
and Kaspersk
TDSSKiller

Arrests

On November 9, 2011, the United States Attorney for the Southern District of New York announced charges against six

Estonia Estonia, formally the Republic of Estonia, is a country by the Baltic Sea in Northern Europe. It is bordered to the north by the Gulf of Finland across from Finland, to the west by the sea across from Sweden, to the south by Latvia, and t ...

n nationals who were arrested by Estonian authorities and one

Russia Russia (, , ), or the Russian Federation, is a transcontinental country spanning Eastern Europe and Northern Asia. It is the largest country in the world, with its internationally recognised territory covering , and encompassing one-eigh ...

n national, in conjunction with Operation Ghost Click. As of February 6, 2012, two of these individuals were extradited to New York for running a sophisticated operation that used Alureon to infect millions of computers.

References

{{Reflist

External links