SECURITY RESEARCHERS at Russian antivirus vendor Kaspersky Lab warn that TDSS, one of the most dangerous and widespread family of rootkits, recently received an update that forces infected computers to mine Bitcoins.
TDSS rootkits have consistently grown in sophistication since first appearing in 2008. The latest version known as TDL4 installs itself in the master boot record (MBR) and is capable of infecting all Windows versions, including 64-bit Windows Vista and Windows 7, which require signed device drivers.
TDL4 is notoriously hard to remove or even detect, which led security researchers at Kaspersky to describe its botnet as indestructible in the past.
The vendor's malware experts have recently analyzed a TDSS sample collected from a computer that was constantly exhibiting 100 per cent CPU utilisation. It turns out that the variant had been configured to execute a component called conhost.exe with special parameters.
Further investigation revealed that conhost.exe was a copy of the Ufasoft GPU Bitcoin miner application. Bitcoin is a popular peer-to-peer virtual currency that can be exchanged by users over the Internet without the need of an intermediary bank or payment processing service.
This Bitcoin mining scheme exhibits the same sophistication one would expect from the TDSS gang. It uses a mining pool proxy and encrypted credentials, making it impossible for security researchers to determine how many Bitcoins were mined by the botnet and what accounts received them.
"The use of such sophisticated malware as TDSS testifies that cybercriminals are getting more and more interested in Bitcoin, and the growing interest correlates with growing amounts of money 'earned' by bad guys," said Kaspersky Lab expert Sergey Golovanov.
Malware like TDSS is one of the reasons why Microsoft secured the boot process in Windows 8. The new Windows version authenticates all boot components at every reboot, and detection of any unauthorized modification forces the system into the Windows Recovery Environment.
Until then, however, users should scan their computers regularly with a competent antivirus product in order to make sure that they are not infected with such dangerous rootkits. As far as TDSS is concerned, Kaspersky offers a free stand-alone tool that can detect and remove most of its variants. µ