Positive Trend in Malware: Rootkit Developers Killing Each Other's Code

If "confusion to our enemies" is a great toast, IT security people are drinking a lot more often these days.

Not only did hacker attack hacker during LulzSec's "50 Days of Rage, or Idiocy, or Something," now malware writers are attacking each other as well.

Rootkit developers who take over infected PCs to use them as pawns for DDOS attacks, spam email blasts and other jobs that require a lot of units of PC to do work the perpetrators would prefer is done by hardware no one can firmly identify.

That's a good-paying business, it turns out, not only for those who operate the resulting botnets, but for the malware writers who create the software that makes them possible.

Now one, the Russian developer of a rootkit called TDL is selling the source code to other others who might want to infect and create their own army of zombies.

One group that bought the code soooorrrt of double-crossed the Russian by changing its name to ZeroAccess and tweaking it so that it will uninstall the original version of TDL from machines where the two encounter each other, according to TheRegister.

In addition to eliminating a competing rootkit/botnet operator on an infected machine, being able to delete an earlier virus gives the new bug a pre-configured bot that has already proven its owner isn't going to discover the infection right away and scrub it off.

In the world of botnet development (just like in sales, actually) existing victims are a lot more stable and valuable than new, unproven ones.

The Zeus malware package that has been around long enough to earn the comparatively dignified title "crimeware toolkit" from Symantec got similarly malicious treatment from upstart SpyEye when it appeared early in 2010.

SpyEye – which, like Zeus, is designed to steal banking information specifically – had a module called KillZeus that would hunt down and destroy its competitor on any machine they shared.

In both cases, the developers have tried to build anti-anti-kill functions into their own rootkits so TDL can wipe out ZeroAccess, or at least being wiped out, and Zeus can defend itself against the evil SpyEye.

Unfortunately, at least so far, neither had advanced to the point that it's possible to install both sets of malware on one computer, have them kill each other off, and leave the thing cleaner that it was before.

Even if they did, it's more likely they'd fubar the PC they're running on and force a bare-metal reinstall. But one can always hope.

Subscribe to the Security Watch Newsletter

Comments