Researchers discover ties between TDSS and ZeroAccess rootkit families
Posted on 19.09.2013
A lot has been said and written about the long-lasting TDSS (or TDL) and the considerably newer ZeroAccess (or Sirefef) rootkits, and the similarities between the two have been noticed before, but Trend Micro researchers have discovered something that might indicate direct ties exist between the two malware families.

Both TDSS and ZeroAccess have well-documented rootkit capabilities. Both use peer-to-peer communication techniques and the traffic they send is encoded using base64 and padded with garbage characters. Both have one main goal: click fraud.

But, as the researchers note, "both still maintain separate P2P networks, with similar features but different implementation. In addition, ZeroAccess always infects COM objects and service.exe, whereas TDSS always infects the MBR (Master Boot record)."

It's also interesting to note that ZeroAccess has been known to disable TDSS if it discovers it on a computer it compromised, which would seem to imply the two rootkits (and the gangs propagating them) are rivals.

But now researchers have learned that an older version of ZeroAccess and some newer versions of TDSS have been using the same domain on the very same day.



"We believe that the domain generation algorithm module used by older ZeroAccess malware has now been adapted by TDSS specifically the DGAv14 variants," they say, but point out that this does not necessarily mean that the cybercriminals responsible are directly collaborating.

"The DGA module may have been acquired from a third party, and/or TDSS may be making money by hosting parts of ZeroAccess," they posit. Nevertheless, the discovery makes them believe that there are some ties between the two malware families.









Spotlight

The psychology of phishing

Posted on 23 July 2014.  |  Cybercriminals no longer send out thousands of emails at random hoping to get a handful of hits, today they create highly targeted phishing emails which are tailored to suit their recipients.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Jul 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //