TDL3 : The rootkit of all evil
(Publication) Google search: [1]
| TDL3 : The rootkit of all evil | |
|---|---|
| Botnet | TDSS |
| Malware | TDL-3 (bot) |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | HTTP |
| Date | 2010 / |
| Editor/Conference | ESET |
| Link | http://go.eset.com/us/resources/white-papers/TDL3-Analysis.pdf (Archive copy) |
| Author | Aleksandr Matrosov, Eugene Rodionov |
| Type | |
Abstract
“ Not so long ago one of our clients asked us to analyze a set of TDSS droppers and to locate the
source of the threat. During our investigation we found evidence of the complicity of one of the wellknown cybercrime groups in distributing those rootkits. The droppers were distributed using a Pay‐Per‐ Install (PPI) scheme well‐known and growing increasingly popular among cybercrime groups . The PPI scheme is similar to those used for distributing toolbars for the browsers. For instance, if you are a partner of Google and distribute its toolbars then you have a special build with an embedded identifier which allows for calculating the number of your installations and therefore your revenue. The same approach is used for distributing the rootkits: information about the distributor is embedded into the executable and there are special servers used to calculate the number of installations.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2010BFR890,
editor = {ESET},
author = {Aleksandr Matrosov, Eugene Rodionov},
title = {TDL3 : The rootkit of all evil},
date = {25},
month = Apr,
year = {2010},
howpublished = {\url{http://go.eset.com/us/resources/white-papers/TDL3-Analysis.pdf}},
}