Researchers discover ties between TDSS and ZeroAccess rootkit families
Posted on 19.09.2013
A lot has been said and written about the long-lasting TDSS (or TDL) and the considerably newer ZeroAccess (or Sirefef) rootkits, and the similarities between the two have been noticed before, but Trend Micro researchers have discovered something that might indicate direct ties exist between the two malware families.

Both TDSS and ZeroAccess have well-documented rootkit capabilities. Both use peer-to-peer communication techniques and the traffic they send is encoded using base64 and padded with garbage characters. Both have one main goal: click fraud.

But, as the researchers note, "both still maintain separate P2P networks, with similar features but different implementation. In addition, ZeroAccess always infects COM objects and service.exe, whereas TDSS always infects the MBR (Master Boot record)."

It's also interesting to note that ZeroAccess has been known to disable TDSS if it discovers it on a computer it compromised, which would seem to imply the two rootkits (and the gangs propagating them) are rivals.

But now researchers have learned that an older version of ZeroAccess and some newer versions of TDSS have been using the same domain on the very same day.

"We believe that the domain generation algorithm module used by older ZeroAccess malware has now been adapted by TDSS specifically the DGAv14 variants," they say, but point out that this does not necessarily mean that the cybercriminals responsible are directly collaborating.

"The DGA module may have been acquired from a third party, and/or TDSS may be making money by hosting parts of ZeroAccess," they posit. Nevertheless, the discovery makes them believe that there are some ties between the two malware families.


DMARC: The time is right for email authentication

Posted on 23 January 2015.  |  The DMARC specification has emerged in the last couple years to pull together all the threads of email authentication technology under one roof—to standardize the method in which email is authenticated, and the manner in which reporting and policy enforcement is implemented.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Jan 26th