TDSS: Silent but Deadly
EDIT LINK:
http://threatinfo.trendmicro.com/vinfo/articles/securityarticles.asp?xmlfile=111209-TDSS.xmlFirst seen in 2008, TDSS was known for its ability to exist in systems without being discovered and the challenge it presents in terms of cleanup. The name "TDSS" was derived from a string that was consistently seen in dropped component files and registry entries in earlier variants although this later changed to mere random strings, which added to the difficulty in detecting TDSS samples.
TDSS often serves as a component for other malware, specifically FAKEAV variants and DNS changers.-snip-
It's All About Blending In
Upon execution, TDSS drops a .TMP file in the %User Temp% folder. The said file whose file name varies performs the initial installation of all other malicious components.
Installation begins by registering itself as a system service. To do this, the dropped .TMP file copies a legitimate Microsoft Windows .DLL file and modifies it to load the .TMP file. It then exploits a vulnerability on the Microsoft Windows "Known DLLs" list to add the previously modified DLL into the list of .DLL files to be loaded into memory.
snip
Basically, what TDSS does first is that it makes the system think that the malware is just any other normal process then creates a rootkit component that hides all evidence of it doing so.Getting Down to Business
Once the rootkit component has been deployed, it drops a .DLL file in the %System% folder. The said file is injected into SVCHOST.EXE, during which it downloads more component files from the Internet.
Downloaded component files include configuration files that contain commands to execute as well as URLs to download more files from. It performs both HTTP GET and HTTP POST requests from and to the URLs and saves any downloaded file in the affected system. The downloaded file contains commands that can be executed by a remote user on the affected system. Some of the said commands are the following:
Check command version
Display popup advertisements Download other files (other DLL files and updated copy of TDSSserv.sys)
Load certain modules from downloaded .DLL files
Prevent programs, mostly antivirus applications, from running on the affected system Set command delay
Upload log files (error logs, list of processes, OS version)
Different content are downloaded from different URLs. Thus, it is possible for the executed commands to differ from one system to another. The nature of executed commands may also depend on what malware is using TDSS as a component.
It's What's Under the Hood That Matters
The structured approach of TDSS in performing its routines on an affected system is not the only thing notable about TDSS. It has also been considered problematic by antivirus analysts due to its sophisticated means to evade analysis.
snip
The Silver Bullet
In most things, it could take the failure of a single component to shut down a whole system. For TDSS, security analysts consider that component to be the one that keeps them in the dark: the rootkit component. By disabling the rootkit service, all the malicious filles, processes, and components are placed into view, making analysis much easier to conduct.
Printer-friendly format
Email this thread to a friend
Bookmark this thread
(1000+ posts)
Send PM |
Profile |
Ignore
