Jump to content


Alureon Rootkit new variant hides within graphics

  • Please log in to reply
No replies to this topic

#1 cnm


    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 26 September 2011 - 06:25 PM

Alureon Rootkit Morphs Again, Adds Steganography

The latest hurdle thrown up by Alureon is the use of steganography to hide configuration files to update infected machines with new instructions.

The steganography usage has shown up in a specific version of Alureon that often is downloaded by a Trojan and then installed on the victim's machine. The malware has a new function that goes out to a remote Web site and downloads a new component called "com32", which, once decrypted, presents a list of URLs hosted on LiveJournal and WordPress. Each of the pages simply hosts a series of image files, which look to be harmless at first glance. But when researchers at Microsoft looked deeper into the code that is responsible for retrieving the image files, they discovered that the code looks specifically for some IMG HTML tags.

The rootkit then tries to pull down the JPEGs, and along with the image data comes a long string of characters that looks to be a password of some kind, according to the analysis by Scott Molenkamp of Microsoft's Malware Protection Center.


The images being used to hide the configuration file look to be completely random, unless the attacker behind Alureon is a health nut who loves his grandma and "Tropic Thunder." The JPEGs include a picture of an elderly woman, a bowl of something sort of health-food looking and...Tom Cruise.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here

Member of UNITE
Support SpywareInfo Forum - click the button