TDSS: Rootkit technologies at the heart of cybercrime

TDSS: Rootkit technologies at the heart of cybercrime

TDSS is the most powerful and complex rootkit to date. This universal malware can hide its own presence and that of other malware on an infected system while offering enhanced opportunities. In order to penetrate computers, TDSS infects drivers; this ensures that it will be launched almost immediately the operating system is started. Consequently, it is extremely difficult to detect and remove this rootkit.

Kaspersky Lab has invested significant time and effort into solving the issues raised by TDSS. This article looks at the technologies implemented in TDSS, the way in which the rootkit spreads, and how cybercriminals profit from this malware.

TDSS is spread via an affiliate program which uses all methods possible to deliver malware to victim machines. The rootkit attacks computers around the world.

Kaspersky Lab estimates that 3 million computers have been infected by the rootkit. Affiliates earn money according to the number of computers they infect; the highest payment is made for machines located in the USA.

Botnets managed using TDSS, and consisting of approximately 20,000 infected machines, are sold on the black market. The botnets’ command and control centers are located in China, Luxembourg, Hong Kong, Holland and Russia. The rootkit has a broad range of capabilities, and can be used in a variety of ways depending on what the malware authors and/or the renters or owners of botnets creating using TDSS wish to achieve.

“TDSS is sophisticated in terms of technology and design. Our analysis of the rootkit leads us to believe that its creators are either Russian or Russian speaking. They follow developments in the antivirus industry and instantly react by releasing updated versions of the rootkit. It’s therefore likely that the rootkit functionality will be modified in the near future in order to further counteract protection technologies,” say Sergey Golovanov and Vyacheslav Rusakov, the authors of the article.

The full version of the article is available at www.securelist.com/en.

05 Aug 2010