Researchers discover ties between TDSS and ZeroAccess rootkit families
Posted on 19.09.2013
A lot has been said and written about the long-lasting TDSS (or TDL) and the considerably newer ZeroAccess (or Sirefef) rootkits, and the similarities between the two have been noticed before, but Trend Micro researchers have discovered something that might indicate direct ties exist between the two malware families.

Both TDSS and ZeroAccess have well-documented rootkit capabilities. Both use peer-to-peer communication techniques and the traffic they send is encoded using base64 and padded with garbage characters. Both have one main goal: click fraud.

But, as the researchers note, "both still maintain separate P2P networks, with similar features but different implementation. In addition, ZeroAccess always infects COM objects and service.exe, whereas TDSS always infects the MBR (Master Boot record)."

It's also interesting to note that ZeroAccess has been known to disable TDSS if it discovers it on a computer it compromised, which would seem to imply the two rootkits (and the gangs propagating them) are rivals.

But now researchers have learned that an older version of ZeroAccess and some newer versions of TDSS have been using the same domain on the very same day.

"We believe that the domain generation algorithm module used by older ZeroAccess malware has now been adapted by TDSS specifically the DGAv14 variants," they say, but point out that this does not necessarily mean that the cybercriminals responsible are directly collaborating.

"The DGA module may have been acquired from a third party, and/or TDSS may be making money by hosting parts of ZeroAccess," they posit. Nevertheless, the discovery makes them believe that there are some ties between the two malware families.


Free security software identifies cloud vulnerabilities

Posted on 21 October 2104.  |  Designed for IT and security professionals, the service gives a view of the data exchanged with partner and cloud applications beyond the network firewall. Completely passive, it runs on non-production systems, and does not require firewall changes.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Tue, Oct 21st