James Delahunty
10 Aug 2011 18:49
Increasingly, malware authors target rivals to keep compromised systems completely under their control.
In one interesting case, reported by The Register, an author of the TDL 3 rootkit decided to make some extra cash by selling the source code of the rootkit. The Russian developer sold the source of one version of the rootkit, while keeping another.
From the rootkit source sale, another called ZeroAccess allegedly rose, with added ClickFraud modules. A second ZeroAccess rootkit also added the ability to target and remove the TDL 3 rootkit using a specific module called anti-TDL.
"The original author of the TDL3 rootkit made two versions of TDL3. He kept the second version of the rootkit code for himself and sold the first version to the guys behind ZeroAccess," Jacques Erasmus of Webroot told The Register.
"TDL3 Authors sold a version of TDL3 sourcecode to ZeroAccess authors. Now ZeroAccess guys are double crossing the TDL3 author by uninstalling the TDL rootkit."
Such measures are becoming more common. TDL-4, which received considerable media attention recently, has the built in ability to remove a host of rival malware, such as ZeuS.