TDL4 – Top Bot
- TDSS variants
- Yet another affiliate program
- The 'indestructible' botnet
- Extended functionality
- Botnet command and control servers
- Command and control server statistics
- To be continued…
The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today. TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.
Its creator calls this program TDL. Since it first appeared in 2008, malware writers have been perfecting their creation little by little. By 2010, the latest version was TDL-3, which was discussed in depth in an article published in August 2010.
The creators of TDSS did not sell their program until the end of 2010. In December, when analyzing a TDSS sample, we discovered something odd: a TDL-3 encrypted disk contained modules of another malicious program, SHIZ.
TDL-3 encrypted disk with SHIZ modules
At that time, a new affiliate program specializing in search engine redirects had just emerged on the Internet; it belonged to the creators of SHIZ, but used TDL-3.
The changes that had been made to the TDL-3 configuration and the emergence of a new affiliate marketing program point to the sale of TDL-3 source code to cybercriminals who had previously been engaged in the development of SHIZ malware.
Why did the creators of TDL decide to sell source code of the third version of their program? The fact is that by this time, TDL-4 had already come out. The cybercriminals most likely considered the changes in version 4 to be significant enough that they wouldn't have to worry about competition from those who bought TDL-3.
In late 2010, Vyacheslav Rusakov wrote a piece on the latest version of the TDSS rootkit focusing on how it works within the operating system. This article will take a closer look at how TDL-4 communicates with the network and uploads data to the botnet, which numbered over 4.5 million infected computers at the time of writing.
Part of the code modified to work with the TDL-4 protocol.
Upon protocol initialization, a swap table is created for the bot's outgoing HTTP requests. This table is activated with two keys: the domain name of the botnet command and control server, and the bsh parameter. The source request is encrypted and then converted to base64. Random strings in base64 are prepended and appended to the received message. Once ready, the request is sent to the server using HTTPS.
The new protocol encryption algorithm for communications between the botnet control center and infected machines ensures that the botnet will run smoothly, while protecting infected computers from network traffic analysis, and blocking attempts of other cybercriminals to take control of the botnet.
Just like Sinowal, TDL-4 is a bootkit, which means that it infects the MBR in order to launch itself, thus ensuring that malicious code will run prior to operating system start. This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.
TDL nimbly hides both itself and the malicious programs that it downloads from antivirus products. To prevent other malicious programs not associated with TDL from attracting the attention of users of the infected machine, TDL-4 can now delete them. Not all of them, of course, just the most common.
TDSS contains code to remove approximately 20 malicious programs, including Gbot, ZeuS, Clishmic, Optima, etc. TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them.
This 'antivirus' actually helps TDSS; on the one hand, it fights cybercrime competition, while on the other hand it protects TDSS and associated malware against undesirable interactions that could be caused by other malware on the infected machine.
Which malicious programs does TDL-4 itself download? Since the beginning of this year, the botnet has installed nearly 30 additional malicious programs, including fake antivirus programs, adware, and the Pushdo spambot.
Notably, TDL-4 doesn't delete itself following installation of other malware, and can at any time use the r.dll module to delete malware it has downloaded.
One of the most outstanding new features of TDL-4 is the kad.dll module, which allows the TDSS botnet to access the Kad network. So what do the cybercriminals want with a publicly accessible file exchange network?
We have known about botnets controlled via P2P for some time now, although until now, these were closed protocol connections created by the cybercriminals themselves. In contrast, TDSS uses a public P2P network in order to transmit commands to all infected computers in the botnet. The initial steps of how TDSS makes use of Kad are given below:
- The cybercriminals make a file called ktzerules accessible on the Kad network. The file is encrypted and contains a list of commands for TDSS.
- Computers infected with TDSS receive the command to download and install the kad.dll module.
- Once installed, kad.dll downloads the file nodes.dat, which contains the publicly accessible list of IP addresses of Kad network servers and clients.
- The kad.dll module then sends a request to the Kad network to search for the ktzerules file.
- Once the ktzerules files has been downloaded and encrypted, kad.dll runs the commands which ktzerules contains.
Below is a list of commands from an encrypted ktzerules file.
- SearchCfg – search Kad for a new ktzerules file
- LoadExe – download and run the executable file
- ConfigWrite – write to cfg.ini
- Search – search Kad for a file
- Publish – publish a file on Kad
- Knock – upload a new nodes.dat file to the C&C which contains a list of Kad server and clients IP addresses, including those infected with TDSS.
The most interesting command is Knock. This command allows the cybercriminals to create their own Kad P2P, the clients of which are exclusively TDSS-infected computers.
Skipping on down...
How publicly accessible and closed KAD networks overlap
2011 Jun 27, 13:49
TDLx detection DNS
Thank you for this analysis :)
Re: TDLx detection DNS
Surprise! You are right) So you can detect tdl4 connections over proxy.
In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running. But attackers are continually finding new ways around those protections, and the latest example is a rootkit that can bypass the Windows driver-signing protection.
The functionality is contained in TDL4, which is the latest version of an older rootkit also known as TDSS and Alureon. TDSS has been causing serious trouble for users for more than two years now, and is an example of a particularly pernicious type of rootkit that infects the master boot record of a PC. This type of malware often is referred to as a bootkit and can be extremely difficult to remove once it's detected. The older versions of TDSS--TDL1, TDL2 and TDL3--are detected by most antimalware suites now, but it's TDL4 that's the most problematic right now.
TDL4 has a specific function that is designed to bypass a protection in Windows 7 and Windows Vista that requires kernel-level code loaded onto a machine to be signed. The Windows kernel-mode code signing policy is mainly applicable on 64-bit machines.
"Starting with Windows Vista, kernel-mode code signing enforcement is implemented by a component known as Code Integrity. Code Integrity is a feature that improves the security of the operating system by verifying the integrity of a file every time that the image of the file is loaded into memory. The function of Code Integrity is to detect if an unsigned driver is being loaded into kernel-mode, or if a system binary file has been modified by malicious code that may have been run by an administrator," Microsoft says in its explanation of the functionality.
The TDL4 rootkit has implemented a feature that evades this protection by changing the boot process on protected machines, according to an analysis of TDL4 by Sunbelt Software. The rootkit accomplishes this by going in and modifying which programs Windows will allow to load an unsigned driver."The boot option is changed in memory from the code executed by infected MBR. The boot option configures value of a config setting named 'LoadIntegrityCheckPolicy' that determines the level of validation on boot programs. The rootkit changes this config setting value to a low level of validation that effectively allows loading of an unsigned malicious rootkit dll file. The rootkit dll is kdcom.dll, which is an infected version normal kdcom.dll that ships with Windows," Sunbelt's Chandra Prakash wrote in the TDL4 analysis.
There are ways to Delete these types of Trojans. I routeenely Restore - Rewrite a corrupted MBR with any of many Live Linux Restore CD's like, Parted Magic or System Rescue CD. Super Grub Disk works great on Grub 1, but I haven't been sucessful with the new version for Grub 2 yet (as of 06-29-11). Or you can forget all of your Windows Worries by just by Installing one of my favorite Linux Distros, like Fedora, ArtistX, Mint or Debian!;) The Best Windows Boot CD that I have found, for fixing - repairing many Windows Problems is Hiren's BootCD. Check it out here...
And UBCD is great for DOS Apps for fixing many Hard Drive Related issues. Ultimate Boot CD is completely free for the download...
- TDL-4 the name for both the bot Trojan
- tdl-4 trojan - Google Search
- tdl-4 - Google Search
- Massive botnet 'indestructible,' say researchers - Computerworld
- TDL4 Rootkit Bypasses Windows Code-Signing Protection | threatpost
- TDSSkiller / TDL4 - Norton Community
- TDSS. TDL-4 - Securelist
- TDL4 – Top Bot - Securelist
- Rootkit.Win32.TDSS.tdl4 that won't go away? - Malwarebytes Forum
- TDL4 persistent. ComboFix found it 3 times and disinfected it 3 times! Hitman found MBR.exe. - Malwarebytes Forum
- YouTube - TDL4 rootkit removal using Warrior CD
- YouTube - UnHackMe detects and kills TDL3++ (or TDL4) rootkit under Windows Seven 64 bit
- YouTube - greatissoftware's Channel
- greatissoftware - Google Search
- Greatis Software - Software Publisher Profile - CNET Downloads
- Products and Services - Greatis Software
- RegRun Warrior - Removing rootkits is best done from the clean Windows - Greatis Software
- RegRun Reanimator - free Trojan/Adware/Spyware removal tool - Greatis Software
- bartpe - Google Search
- Bootable CD's
- Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD
- bartpe - Google Search
- bernards bootable cd - Google Search
- hirens boot cd 11 - Google Search
- Hiren's BootCD 12.0 - All in one Bootable CD » www.hiren.info
- DonsDeals: Rootkit infection requires Windows reinstall, says Microsoft - Computerworld
- hirens boot cd 11 - Google Search
- YouTube - Hirens Boot CD v 13
- YouTube - Reset Password Windows XP/Vista/7 by Hiren's BootCD
- ubcd - Google Search
- YouTube - Ultimate Boot CD
- YouTube - UBCD4Win - How I Use Ultimate Boot CD For Windows
- YouTube - Boot the Ultimate Boot CD as an ISO file from a USB flash pen drive
- ubcd - Google Search
- Ultimate Boot CD - Overview