Both TDSS and ZeroAccess have well-documented rootkit capabilities. Both use peer-to-peer communication techniques and the traffic they send is encoded using base64 and padded with garbage characters. Both have one main goal: click fraud.
But, as the researchers note, "both still maintain separate P2P networks, with similar features but different implementation. In addition, ZeroAccess always infects COM objects and service.exe, whereas TDSS always infects the MBR (Master Boot record)."
It's also interesting to note that ZeroAccess has been known to disable TDSS if it discovers it on a computer it compromised, which would seem to imply the two rootkits (and the gangs propagating them) are rivals.
But now researchers have learned that an older version of ZeroAccess and some newer versions of TDSS have been using the same domain on the very same day.
"We believe that the domain generation algorithm module used by older ZeroAccess malware has now been adapted by TDSS specifically the DGAv14 variants," they say, but point out that this does not necessarily mean that the cybercriminals responsible are directly collaborating.
"The DGA module may have been acquired from a third party, and/or TDSS may be making money by hosting parts of ZeroAccess," they posit. Nevertheless, the discovery makes them believe that there are some ties between the two malware families.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.