Advanced worm uses built-in DHCP server to propagate

Alureon is a notable trojan and rootkit that is explicitly designed to steal data by intercepting a system's network traffic and searching the data stream for usernames, passwords and payment card data.

When it first appeared early last year, the malware was reported to be at the centre of a series of BSoD attacks on Windows systems and, although the malware was patched by Microsoft, it has been recoded at least once, Infosecurity notes.

The addition of an in-worm DHCP server, however, is a serious progression of the malware.

According to a Kaspersky Lab security researcher, the loader for the rootkit – Net-Worm.Win32.Rorpian – uses a fairly standard technique for spreading on removable media by creating an autorun.inf and .lnk files that point to an executable with parameters which will load and run a rootkit-owned DLL.

Sergey Golovanov of Kaspersky Lab says that, with the enhancement, the malware effectively "has got legs", with an ingenious propagation mechanism for its loader.

Once installed, the worm will not allow the infected machine to visit websites "until s/he agrees to install an update."

"If the user agrees, the worm will download a modification of Net-Worm.Win32.Rorpian. After infecting the computer, it will change the DNS settings to the address of a Google server address and allow the user to go back to browsing", he said in his security blog.

"In other words, Net-Worm.Win32.Rorpian, the loader of TDSS, one of today's most advanced and sophisticated malicious programs, exploits the computer's most dangerous vulnerability of all: the user", he added.

What’s hot on Infosecurity Magazine?