Kaspersky warns internet users about TDSS rootkit malware

As reported by fellow IT security vendor Prevx late last year, TDDS-3 comes from a 'dropper' that is spread by peer-to-peer networks or by crack and keygen websites.

Infosecurity notes that the rootkit needs administrator privileges to drop its payload, meaning that if the user normally employs a 'user' account on their PC, they may be safe.

Kaspersky reports that TDDS can now hide its presence and that of other malware on an infected system.

The latest variant, the IT security vendor says, infects the drivers on the user's PC, meaning it will be launched almost immediately after the operating system is started.

As a result, Kaspersky adds, it is extremely difficult to detect and remove this rootkit.

TDSS is now being spread via an affiliate program, which uses all methods possible to deliver malware to victim machines and, as a result Kaspersky estimates there are around three million infected machines around the world.

Affiliates in the TDSS programme are said to earn money according to the number of computers they infect, with the highest payments made for machines located in the US.

Sergey Golovanov and Vyacheslav Rusanov, two IT security researchers, have authored a white paper, which has been posted to Securelist.com.

According to the paper, TDSS is sophisticated in terms of its technology and design.

"Our analysis of the rootkit leads us to believe that its creators are either Russian or Russian speaking. They follow developments in the antivirus industry and instantly react by releasing updated versions of the rootkit", says the paper.

"It's therefore likely that the rootkit functionality will be modified in the near future in order to further counteract protection technologies", the paper adds.

What’s Hot on Infosecurity Magazine?