Four-year-old rootkit tops the charts of PC threats

Microsoft's latest Threat Report shows a disturbing increase in Alureon rootkit infections, particularly on Windows XP machines

Microsoft just released its May Threat Report, and the results should give you pause. With nearly 2 million infected systems cleaned, the nefarious Alureon rootkit came out on top.

Since it first appeared in 2006, Alureon (known in various incarnations as TDSS, Zlob, or DNSChanger) has morphed into a mean money-making marvel: a varied collection of Trojans most famous for their ability to invisibly take control of your PC's interactions with the outside world. Alureon frequently runs as a rootkit, snatches information sent and received over the Internet, and may install a backdoor that allows Alureon's masters to update your computer with the software of their choice.

[ Learn how to protect yourself with InfoWorld's Roger Grimes and his 30-minute Webcast on data loss prevention. ]

You may have heard of Alureon in connection with Microsoft's ill-fated MS10-015 Security Bulletin. The original version of the MS10-015 patch, when installed on some Alureon-infected Windows XP machines, resulted in a Blue Screen of Death. Microsoft pulled the patch, then altered it to avoid Alureon-infested PCs.

This month Microsoft added Alureon.H, the latest variant, to the scanning engine of the Malicious Software Removal Tool. (MSRT lies at the heart of Microsoft Security Essentials.) The new variant led to a hefty 37 percent increase over last month in the number of infected PCs caught and cleaned by MSRT. Right now, Alureon ranks as the No. 1 piece of MSRT-identified malware.

Most Alureon-infected systems run Windows XP. Microsoft pegs the number at 78 percent, with Vista accounting for 18 percent and Windows 7 around 4 percent of infected systems.

As with most malware, people inadvertently install Alureon when they think they're installing something else. Microsoft's April Threat Report explains that a typical Alureon installer asks to be elevated to administrator status. If you're using Vista or Windows 7 and you haven't mucked with the User Account Control settings, Windows asks for permission to run the program as an administrator -- that's one more chance to catch yourself before aiming at your foot and pulling the trigger. If you're running with an administrator account in Windows XP, you don't get that one last chance.

This article, "Microsoft cites alarming rise in rootkits," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.

Copyright © 2010 IDG Communications, Inc.

How to choose a low-code development platform