Alureon

Alureon (also known as TDSS) is a trojan and bootkit which is designed, amongst other things, to steal data by intercepting a system's network traffic and searching it for usernames, passwords and credit card data.[1] Following a series of customer complaints, Microsoft determined that Alureon was the cause of a series of BSoD problems on some 32-bit Microsoft Windows systems which were triggered when some assumptions made by the malware author(s) were broken by update MS10-015.[2][3]

According to research by Microsoft, Alureon was the second most active botnet in the second quarter of 2010.[4]

Description

The Alureon rootkit was first seen in 2006. PCs usually get infected by manually downloading and installing Trojan software, and Alureon has been seen bundled with the rogue security software Security Essentials 2010.[5] When the dropper is executed, it first hijacks the print spooler service (spoolsv.exe) to write a filesystem boot sector at the end of the disk and changing the master boot record to execute this bootstrap routine; it then infects low level system drivers such as those responsible for PATA operations (atapi.sys) to implement its rootkit. It also manipulates the Windows Registry to block access to Windows Task Manager and the desktop.

While Alureon has also been known to redirect search engines to commit click fraud, Google has taken steps to mitigate that for their users by detecting it and warning the user.[6] Once installed, it blocks access to Windows Update and attempts to disable some anti-virus products.

The malware drew considerable public attention when a software bug in its code caused some 32-bit Windows systems to crash upon installation of security update MS10-015.[7] The malware was using a hard-coded memory address in the kernel that changed after installation of the hotfix. Microsoft subsequently modified the hotfix to prevent installation if an Alureon infection is present,[8] while the malware author also fixed the bug in his code.

In November 2010, the press reported that the rootkit has evolved to the point that it is able to bypass the mandatory kernel-mode driver signing requirement of 64-bit editions of Windows 7 by subverting the master boot record,[9] something that also makes it particularly resistant on all systems to detection and removal by anti-virus software.

Removal

While the rootkit is generally able to hide itself very effectively, circumstantial evidence of the infection may be found by examination of network traffic with a packet analyzer or of outbound connections (netstat). Sometimes the existing security software on the computer will report it, but mostly not. It may be useful to perform an offline scan of the infected system after booting an alternative operating system such as WinPE, as the malware will attempt to prevent security software from updating. The "FixMbr" command of the Windows Recovery Console and manual replacement of atapi.sys may be required to disable the rootkit functionality before anti-virus tools are able to find and clean an infection.

Various companies have created standalone tools that attempt to remove Alureon. Two popular ones are Microsoft Windows Defender Offline and Kaspersky TDSSKiller.

Arrests

On November 9, 2011, the United States Attorney for the Southern District of New York announced charges against 6 Estonian nationals and 1 Russian national in conjunction with Operation GhostClick. The U.S. is currently seeking to extradite them for running a sophisticated operation that used Alureon to infect millions of computers worldwide.

References

  1. "Alureon trojan caused Windows 7 BSoD". microsoft.com. February 18, 2010. Archived from the original on 10 February 2010. Retrieved 2010-02-18.
  2. MS10-015 Restart Issues Are the Result of a Rootkit Infection (threatpost)
  3. "More information about Alureon". symantec.com.
  4. "Most Active Botnet Families in 2Q10". Microsoft. Retrieved 2011-05-04.
  5. "Microsoft Security Bulletin MS10-015 - Important". Microsoft. 2010-03-17. Archived from the original on 5 June 2011. Retrieved 2011-04-25.
  6. "Google warns of massive malware outbreak". Financial Post. 2011-07-20. Retrieved 2011-11-25.
  7. "Microsoft Security Bulletin MS10-015 - Important". Microsoft. 2010-03-17. Archived from the original on 5 June 2011. Retrieved 2011-04-25.
  8. "Update - Restart Issues After Installing MS10-015 and the Alureon Rootkit". Microsoft Security Response Center. 2010-02-17.
  9. Goodin, Dan (2010-11-16). "World's Most Advanced Rootkit Penetrates 64-bit Windows". The Register. Archived from the original on 21 November 2010. Retrieved 2010-11-22.

External links