The loader of TDSS, a malicious program about which we have written many times (e.g., here and here) has now got legs, i.e. a self-propagation mechanism. TDSS is a very sophisticated piece of malware, and the cybercriminals have created an ingenious propagation mechanism for its loader.
- 1. Via removable media
2. Over the LAN
When spreading over the local area network, the worm uses the following technique. When infecting a computer, the worm checks if a DHCP server is used on the network. If the victim computer is located on a network which uses the DHCP protocol, the worm starts scanning the network to see if there are any available IP addresses on it. Next, the worm launches its own DHCP server and starts listening to the network. If it detects a DHCP request from a computer on the local network, the worm tries to be the first to respond to it, sending the following data:
- 1. An IP-address from the pool of available IP-addresses
2. The main gateway configured on the infected computer
3. The address of the cybercriminals’ malicious DNS-server
Fragment of Net-Worm.Win32.Rorpian code that works with DHCP-protocol
The user will not be able to visit websites until s/he agrees to install an “update”. If the user agrees, the worm will download a modification of Net-Worm.Win32.Rorpian. After infecting the computer, it will change the DNS settings to the address of a Google server address and allow the user to go back to browsing.
Screenshot of the malicious site from which the worm spreads
In other words, Net-Worm.Win32.Rorpian, the loader of TDSS, one of today’s most advanced and sophisticated malicious programs, exploits the computer’s most dangerous vulnerability of all – the user.
P.S. Many thanks to Evgeny Aseev for his help in preparing this post.
