Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Tuesday, August 23, 2011

Backdoor.Tidserv TR.win32.TDDS

generell werden versteckte dateien angelegt, um die erkennung/entfernung
des jeweiligen programms zu erschweren.
daemon tools arbeitet z.b. damit, aber wohl in erster linie malware, in dem punkt ist von adware bis zur backdoor alles drin.
es ist bzgl. tdss die frage, welche funktionen die module, die installiert werden, im einzelnen erfüllen.
das müßte man bei jedem betroffenen rechner individuell (es gibt nicht das tdss-rootkit oder den tdss-trojaner)
im detail untersuchen, siehe z.b. hier:
bei einer "ursprünglichen" datei schlagen die scanner (mittlerweile)
sowohl bzgl. der komponente dns-changer als auch backdoor an:
ein umbenennen der tdss-dateien, wie wohl beim letzten virscan-report vorgenommen,
kann eine möglichkeit sein, die dateien zu analysieren bzw. zu löschen.
auch blacklight bietet diese option an.
der einsatz von catchme bei versteckten einträgen ist ebenfalls denkbar.
mit diesem programm können kopien der dateien erzeugt werden,
die bei virustotal ausgewertet oder an av-labs gesendet werden können etc.
ob rootkit-tests(da kann man sicher noch mehr nennen) bzw. welche von tdss-varianten geblockt werden, sei dahingestellt.

Download removal tool
Discovered: September 18, 2008
Updated: September 18, 2008 4:01:39 PM
Also Known As:
Backdoor:W32/TDSS [F-Secure], BKDR_TDSS [Trend], Win32/Alureon [Microsoft], Trojan-Dropper.Win32.TDSS [Kaspersky], Packed.Win32.TDSS [Kaspersky],
Type: Trojan
Systems Affected:
Windows XP, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software
Users are advised to ensure that their operating systems and any installed software are fully patched, and that antivirus and firewall software is up to date and operational. Users should turn on automatic updates if available, so that their computers can receive the latest patches and updates when they are made available.
1.3 Address blocking
Block access to the following addresses using a firewall, router, or add entries to the local hosts file to redirect the following addresses to
Note: The domains used by this threat change frequently.
2. Infection method
2.1 Forums and blogs
2.2 Hacked websites
2.3 File sharing, cracks, and warez
2.4 Affiliate schemes
3. Functionality
3.1. System modifications
 The following side effects may be observed on computers compromised by this Trojan. It should be noted that the threat uses a rootkit and other advanced stealth techniques to hide itself and its side effects. Upon successful installation and execution, any changes may not be visible on the compromised computer except where specialist tools are used to reveal them.
File creation
The following file(s) may be seen on the compromised computer.
  • %System%\spool\prtprocs\[TEMPORARY FILE NAME].tmp (Initial executable file)
  • %System%\drivers\TDSServ.sys
  • %System%\TDSS[RANDOM VALUE].log
  • %System%\TDSS[RANDOM VALUE].dat
  • %System%\TDSS[RANDOM VALUE].dll
  • %System%\drivers\H8SRTd.sys
File deletion
The following file(s) may be deleted from the compromised computer.
%System%\spool\prtprocs\[TEMPORARY FILE NAME].tmp (Initial executable file)
The following file(s) may be modified on the compromised computer.
  • atapi.sys (file infection)
  • advapi32.dll (file infection)
  • iastor.sys (file infection)
  • idechndr.sys (file infection)
  • ndis.sys (file infection)
  • nvata.sys (file infection)
  • vmscsi.sys (file infection)
The infection of system drivers and low level system files may cause instability in the operating system. It has been observed that certain computers infected by Backdoor.Tidserv may experience a Blue Screen of Death (BSOD) error after applying the Microsoft patches from February 9th, 2010.

During installation, the threat will cause spoolsv.exe (print spooler) to load the code for the threat. The code loaded into memory may hold one or more of the following logical files:
  • tdlwsp.dll (for hooking search queries)
  • tdlcmd.dll (main back door functionality)
  • config.ini (configuration details)
More information on the functionality of these files is as follows:
This file contains code to perform the following activities:
  • Download, decrypt, and execute files.
  • Update the configuration file.
The file contains code to perform the following activities (the latest variants have the functionality of tdlwsp.dll incorporated into tdlcmd.dll):
  • Hook Winsock routines to allow it to examine network traffic.
  • Log search engine strings and send them to a remote computer.
  • Inject or build HTTP responses so that it may modify or replace Web content returned by a Web server during a browsing session.
This is a configuration file detailing bot identifiers, version information and other parameters.
Here is a sample config.ini file:
quote=Tomorrow will be the most beautiful day of Raymond K. Hessel's life
installdate=7.2.2010 16:8:33
builddate=7.2.2010 15:1:5
Once the code for the threat is installed, it deletes the original executable file that was executed and by doing this removes any obvious traces of its presence on the file system. Next, it infects one of the lowest level of drivers (atapi.sys) and manipulates it to load the threat when the computer is started.
It then creates an RC4-encrypted file system (the key used is "tdl") on the last sectors of the hard disk and stores the logical files (tdlwsp.dll, tdlcmd.dll, config.ini, and the original portion of the infected driver file) from the memory in the newly created file system. Once these actions are completed, there will be no visible traces of the threat when examining the file system of the computer except, eventually, for a change in the size of the infected driver file.
After the computer is restarted, the infected driver file (atapi.sys) will load the threat from the end sectors of the hard disk. It will create the hooks for the rootkit to do its job as well as injecting the code from tdlcmd.dll into all processes or into specific processes as defined in the config.ini file.
Manipulation of the Master Boot Record
More recent variants of Tidserv such as variant Backdoor.Tidserv.L (since August 2010) and Backdoor.Tidserv.M (January 2011) have adopted a technique pioneered by another sophisticated threat, Trojan.Mebroot. The technique involves replacing the existing MBR with another copy that enables the threat to get loaded first during the boot up process. The original MBR and components used by the threat is then copied to sectors of the hard disk that are unknown to the operating system, usually located in slack space after the end of the main partitions.

The MBR technique enables the threat to gain full control over the computer as it will be loaded even before the operating system. It takes advantage of the early loading to manipulate the boot up process to bypass security measures and ensure that it is executed each time the operating system is started.
Registry subkeys and entries created
  • HKEY_CURRENT_USER\Software\Mozilla\affid=
  • HKEY_CURRENT_USER\Software\Mozilla\subid=
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSServ
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSServ.sys
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSServ.sys
Registry subkeys/entries deleted
No registry keys or entries are deleted.
Registry subkeys/entries modified (final values given)
No registry keys or entries are modified.
3.2. Network activity
3.3. Rootkit functionality

The threat uses an advanced rootkit and stealth techniques that provide highly effective cover from detection. It achieves this by:
  • Hiding its own files in the end sectors of the hard disk, bypassing the traditional file system.
  • Hiding the end sectors of the hard disk; the threat returns a 0-byte buffer when any other applications attempt to access or query the protected sectors.
  • Removing itself from the list of loaded drivers.
  • Infecting the lowest level of drivers and then returning the clean areas of the file when it is read by other processes.
4. Additional information

No comments: