Alureon, often referred to as TDSS, is a Trojan and bootkit designed to steal data by intercepting a system’s network traffic and searching it for credit card data, user names and passwords.
The Alureon rootkit is thought to have been first seen in 2006. Computers usually get infected when users manually download and install Trojan software, and Alureon has been seen bundled with the rogue security software Security Essentials 2010.When the dropper is executed, it gets to work by hijacking the print spooler service (spoolsv.exe) to write a filesystem boot sector at the end of the disk and changing the master boot record to execute this bootstrap routine. It then infects low level system drivers, such as those responsible for PATA operations (atapi.sys), to implement its rootkit. It also manipulates the Windows Registry to block access to Windows Task Manager and the desktop.
While Alureon has also been known to redirect search engines to commit click fraud, Google has taken steps to mitigate that for their users by detecting it and warning the user. Once installed, it blocks access to Windows Update and attempts to disable some anti-virus products.
Alureon garnered considerable public attention when a software bug in its code caused some 32-bit Windows systems to crash upon installation of security update MS10-015. The malware was using a hard-coded memory address in the kernel that changed after installation of the hotfix. Microsoft subsequently modified the hotfix to prevent installation if an Alureon infection is present, while the malware author also fixed the bug in his code.
In 2010, the rootkit evolved to the point that it was able to bypass the mandatory kernel-mode driver signing requirement of 64-bit editions of Windows 7 by subverting the master boot record – something that makes it particularly resistant to detection and removal by anti-virus software on all systems.
Removal
While the rootkit is usually able to hide itself very effectively, evidence of the infection may be found by examination of network traffic with a packet analyser or of outbound connections (netstat). Sometimes the existing security software on the computer will report it, but mostly not. It may be useful to perform an offline scan of the infected system after booting an alternative operating system such as WinPE, as the malware will attempt to prevent security software from updating. The "FixMbr" command of the Windows Recovery Console and manual replacement of atapi.sys may be required to disable the rootkit functionality before anti-virus tools are able to find and clean an infection.
Various companies have created standalone tools that attempt to remove Alureon. Two of the most popular ones are Microsoft Windows Defender Offline and Kaspersky TDSSKiller.