From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Alureon (also known as TDSS or TDL-4) is a trojan and bootkit created to steal data by intercepting a system's network traffic and searching for: banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data.[1] Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015,[2] triggered these crashes by breaking assumptions made by the malware author(s).[3][4]

According to the research conducted by Microsoft, Alureon was the second most active botnet in the second quarter of 2010.[5]


The Allure boot was first identified around 2007.[1] Personal computers are usually infected when users manually download and install Trojan software. Alureon is known to have been bundled with the rogue security software, "Security Essentials 2010".[2] When the dropper is executed, it first hijacks the print spooler service (spoolsv.exe) to update the master boot record and execute a modified bootstrap routine. Then it infects low-level system drivers such as those responsible for PATA operations (atapi.sys) to install its rootkit.

Once installed, Alureon manipulates the Windows Registry to block access to Windows Task Manager, Windows Update, and the desktop. It also attempts to disable anti-virus software. Alureon has also been known to redirect search engines to commit click fraud. Google has taken steps to mitigate this for their users by scanning for malicious activity and warning users in the case of a positive detection.[6]

The malware drew considerable public attention when a software bug in its code caused some 32-bit Windows systems to crash upon installation of security update MS10-015.[2] The malware was using a hard-coded memory address in the kernel that changed after the installation of the hotfix. Microsoft subsequently modified the hotfix to prevent installation if an Alureon infection is present,[7] The malware author(s) also fixed the bug in the code.

In November 2010, the press reported that the rootkit had evolved to the point that it was bypassing the mandatory kernel-mode driver signing requirement of 64-bit editions of Windows 7. It did this by subverting the master boot record,[8] which made it particularly resistant on all systems to detection and removal by anti-virus software.


TDL-4 is sometimes used synonymously with Alureon and is also the name of the rootkit that runs the botnet.

It first appeared in 2008 as TDL-1 being detected by Kaspersky Lab in April 2008. Later version two appeared known as TDL-2 in early 2009. Some time after TDL-2 became known, emerged version three which was titled TDL-3.[9] This led eventually to TDL-4.[10]

It was often noted by journalists as "indestructible" in 2011, although it is removable with tools such as Kaspersky's TDSSKiller.[11] It infects the master boot record of the target machine, making it harder to detect and remove. Major advancements include encrypting communications, decentralized controls using the Kad network, as well as deleting other malware.[12][13]


While the rootkit is generally able to avoid detection, circumstantial evidence of the infection may be found through examination of network traffic with a packet analyzer or inspection of outbound connections with a tool such as netstat. Although existing security software on a computer will occasionally report the rootkit, it often goes undetected. It may be useful to perform an offline scan of the infected system after booting an alternative operating system, such as WinPE, as the malware will attempt to prevent security software from updating. The "FixMbr" command of the Windows Recovery Console and manual replacement of "atapi.sys" could possibly be required to disable the rootkit functionality before anti-virus tools are able to find and clean an infection.[citation needed]

Various companies have created standalone tools which attempt to remove Alureon. Two popular tools are Microsoft Windows Defender Offline and Kaspersky TDSSKiller.


On November 9, 2011, the United States Attorney for the Southern District of New York announced charges against six Estonian nationals who were arrested by Estonian authorities and one Russian national, in conjunction with Operation Ghost Click.[14] As of February 6, 2012, two of these individuals were extradited to New York for running a sophisticated operation that used Alureon to infect millions of computers.[15]

See also[edit]


  1. ^ a b "Win32_Alureon threat description - Microsoft Security Intelligence". March 2007. Archived from the original on 10 February 2010. Retrieved 2010-02-18.
  2. ^ a b c "Microsoft Security Bulletin MS10-015 - Important". Microsoft. 2010-03-17. Archived from the original on 5 June 2011. Retrieved 2011-04-25.
  3. ^ "MS10-015 Restart Issues Are the Result of a Rootkit Infection (threatpost)". Archived from the original on 2012-10-21. Retrieved 2010-02-19.
  4. ^ "More information about Alureon".
  5. ^ "Most Active Botnet Families in 2Q10" (PDF). Microsoft. p. 24. Retrieved 19 August 2015.
  6. ^ "Google warns of massive malware outbreak". Financial Post. 2011-07-20. Retrieved 2011-11-25.
  7. ^ "Update - Restart Issues After Installing MS10-015 and the Alureon Rootkit". Microsoft Security Response Center. 2010-02-17.
  8. ^ Goodin, Dan (2010-11-16). "World's Most Advanced Rootkit Penetrates 64-bit Windows". The Register. Archived from the original on 21 November 2010. Retrieved 2010-11-22.
  9. ^ "TDSS". Securelist by Kaspersky.
  10. ^ Golovanov, Sergey; Igor Soumenkov (27 June 2011). "TDL4 – Top Bot". Securelist by Kaspersky. Securelist. Retrieved 19 May 2020.
  11. ^ Herkanaidu, Ram (4 July 2011). "TDL-4 Indestructible or not?". Securelist by Kaspersky. securelist. Retrieved 19 May 2020.
  12. ^ Reisinger, Don (30 June 2011). "TDL-4: The 'indestructible' botnet? | The Digital Home - CNET News". CNET. Retrieved 15 October 2011.
  13. ^ "'Indestructible' TDL-4 Botnet?". Techno Globes. 2 July 2011. Archived from the original on 12 October 2011. Retrieved 16 March 2016.CS1 maint: unfit URL (link)
  14. ^ "Operation Ghost Click:International Cyber Ring That Infected Millions of Computers Dismantled". 9 November 2011. Retrieved 14 August 2015.
  15. ^ Finkle, Jim (5 July 2015). "Virus could black out nearly 250,000 PCs". Reuters. Retrieved 14 August 2015.

External links[edit]