Researchers discover ties between TDSS and ZeroAccess rootkit families
Posted on 19.09.2013
A lot has been said and written about the long-lasting TDSS (or TDL) and the considerably newer ZeroAccess (or Sirefef) rootkits, and the similarities between the two have been noticed before, but Trend Micro researchers have discovered something that might indicate direct ties exist between the two malware families.

Both TDSS and ZeroAccess have well-documented rootkit capabilities. Both use peer-to-peer communication techniques and the traffic they send is encoded using base64 and padded with garbage characters. Both have one main goal: click fraud.

But, as the researchers note, "both still maintain separate P2P networks, with similar features but different implementation. In addition, ZeroAccess always infects COM objects and service.exe, whereas TDSS always infects the MBR (Master Boot record)."

It's also interesting to note that ZeroAccess has been known to disable TDSS if it discovers it on a computer it compromised, which would seem to imply the two rootkits (and the gangs propagating them) are rivals.

But now researchers have learned that an older version of ZeroAccess and some newer versions of TDSS have been using the same domain on the very same day.

"We believe that the domain generation algorithm module used by older ZeroAccess malware has now been adapted by TDSS specifically the DGAv14 variants," they say, but point out that this does not necessarily mean that the cybercriminals responsible are directly collaborating.

"The DGA module may have been acquired from a third party, and/or TDSS may be making money by hosting parts of ZeroAccess," they posit. Nevertheless, the discovery makes them believe that there are some ties between the two malware families.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th