Security Watch

Remember the Alureon: Rootkit Sinks Its Roots

Pesky rootkit looks like it's getting refined for attacks. More secure features for Hotmail; Microsoft, Defense Dept. go on offense.

• By Jabulani Leffall
• 05/25/2010

Remember Alureon, the pesky rootkit, which hit the Windows enterprise scene in 2006 and absolutely bum rushed some Windows systems earlier this year?

Microsoft does and will for quite some time. The rootkit, which also goes by some of its technical aliases -- TDSS, Zlob and DNSChanger -- has to date infected nearly 2 million Windows systems.

Alureon is the guest of honor rootkit in Microsoft's recently released May Threat Report. Alureon accounted for 18 percent of all malware-infected Windows PCs in May.

This is Alureon's encore performance as the rootkit du jour in the April Threat Report.

Alureon is considered the culprit for the "screen of death," and system crash issues widely reported when users installed Microsoft Security Bulletin MS10-015.

Microsoft Malware Prevention Center staffers Vishal Kapoor and Joe Johnson said there were "several changes to the design of the rootkit to avoid detection and cleaning, revealing that the rootkit is still under active development and distribution."

This means that Alureon is going to be around for a while yet.

Hotmail Security Gets Smarter
Microsoft said it's stepping up security for its Hotmail e-mail service through Windows Live. Redmond is adding features that the software giant says will make the user experience clutter free and more efficient.

Security improvement job numero uno involves the everlasting fight against the digital version of mystery meat: spam. For Microsoft, cutting down on spam that sneaks past filters and into user inboxes -- to say nothing of the gray mail, the legitimate but non-pertinent direct marketing messages that squeak through -- is vital.

These new features come as the folks at Redmond are now comparing such spam data for Hotmail to that of Google's Gmail as outlined in the recent Radicati Group white paper.

To cut back on spam and, by extension, e-mails that could carry malicious code, Microsoft is employing Microsoft SmartScreen, the anti-spam technology that is also prevalent in Microsoft Forefront, Exchange, and is similar to anti-phishing features in Internet Explorer 8.

Among other things, Microsoft promises "false positive reduction" through "more nuanced" user activity interpretation. This is the result of some users complaining that mail they actually wanted was routed to a junk mail or spam folder due to security concerns that Microsoft mail servers directed to Hotmail detected.

Also when in doubt, the new Hotmail allows you to clean out spam or unwelcomed e-mail with a "virtual broom" program called...umm..."Sweep," which allows users to, in Microsoft's own words "sweep" unwanted mail out of your inbox into "either folders or oblivion."

On a more technical level, the new Hotmail also promises to destroy "spam nests" and Redmond says it is "fine-tuning our innovative ability to retroactively remove spam in real time as we discern the signatures of a new spam effort."

Redmond To Cooperate More with Public Sector
With the release earlier this year of Business Productivity Online Suite (BPOS) for Federal agency customers and a roll out of a secure Windows on a Stick product for other public sector clients, it's clear that Microsoft is tapping the government market.

With the rise of cyberterrorism and governmental security concerns, this is, of course, good strategy. But Microsoft is going further with open assertions that governments "are the key lynchpin between private and public sectors for protection against electronic attacks and provide liaison between those sectors."

The result of this thinking is the Defensive Information Sharing Program (DISP), under which Redmond would, among other things, share pre-patch information -- where warranted -- with national government organizations that are Government Security Program and Security Cooperation Program partners.

This doesn't mean that Microsoft is looking to the government for guidance on these threats, but mostly it's doing it as a courtesy and perhaps for a second or third look at pervasive threats.

Steve Adegbite, a security program manager with the Microsoft Security Response Center, said last week that Microsoft would provide information with government entities only "after our investigative [and] remediation cycle is completed to ensure that DISP members are receiving the most current information."