TDL4 – Top Bot

TDSS variants

The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today. TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.

Its creator calls this program TDL. Since it first appeared in 2008, malware writers have been perfecting their creation little by little. By 2010, the latest version was TDL-3, which was discussed in depth in an article published in August 2010.

The creators of TDSS did not sell their program until the end of 2010. In December, when analyzing a TDSS sample, we discovered something odd: a TDL-3 encrypted disk contained modules of another malicious program, SHIZ.

TDL-3 encrypted disk with SHIZ modules

At that time, a new affiliate program specializing in search engine redirects had just emerged on the Internet; it belonged to the creators of SHIZ, but used TDL-3.

The changes that had been made to the TDL-3 configuration and the emergence of a new affiliate marketing program point to the sale of TDL-3 source code to cybercriminals who had previously been engaged in the development of SHIZ malware.

Why did the creators of TDL decide to sell source code of the third version of their program? The fact is that by this time, TDL-4 had already come out. The cybercriminals most likely considered the changes in version 4 to be significant enough that they wouldn't have to worry about competition from those who bought TDL-3.

In late 2010, Vyacheslav Rusakov wrote a piece on the latest version of the TDSS rootkit focusing on how it works within the operating system. This article will take a closer look at how TDL-4 communicates with the network and uploads data to the botnet, which numbered over 4.5 million infected computers at the time of writing.

Yet another affiliate program

Skipping on down...

Part of the code modified to work with the TDL-4 protocol.

Upon protocol initialization, a swap table is created for the bot's outgoing HTTP requests. This table is activated with two keys: the domain name of the botnet command and control server, and the bsh parameter. The source request is encrypted and then converted to base64. Random strings in base64 are prepended and appended to the received message. Once ready, the request is sent to the server using HTTPS.

The new protocol encryption algorithm for communications between the botnet control center and infected machines ensures that the botnet will run smoothly, while protecting infected computers from network traffic analysis, and blocking attempts of other cybercriminals to take control of the botnet.

An antivirus of its own

Just like Sinowal, TDL-4 is a bootkit, which means that it infects the MBR in order to launch itself, thus ensuring that malicious code will run prior to operating system start. This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.

TDL nimbly hides both itself and the malicious programs that it downloads from antivirus products. To prevent other malicious programs not associated with TDL from attracting the attention of users of the infected machine, TDL-4 can now delete them. Not all of them, of course, just the most common.

TDSS module code which searches the system registry for other malicious programs

TDSS contains code to remove approximately 20 malicious programs, including Gbot, ZeuS, Clishmic, Optima, etc. TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them.

This 'antivirus' actually helps TDSS; on the one hand, it fights cybercrime competition, while on the other hand it protects TDSS and associated malware against undesirable interactions that could be caused by other malware on the infected machine.

Which malicious programs does TDL-4 itself download? Since the beginning of this year, the botnet has installed nearly 30 additional malicious programs, including fake antivirus programs, adware, and the Pushdo spambot.

TDSS downloads

Notably, TDL-4 doesn't delete itself following installation of other malware, and can at any time use the r.dll module to delete malware it has downloaded.

Botnet access to the Kad network

One of the most outstanding new features of TDL-4 is the kad.dll module, which allows the TDSS botnet to access the Kad network. So what do the cybercriminals want with a publicly accessible file exchange network?

We have known about botnets controlled via P2P for some time now, although until now, these were closed protocol connections created by the cybercriminals themselves. In contrast, TDSS uses a public P2P network in order to transmit commands to all infected computers in the botnet. The initial steps of how TDSS makes use of Kad are given below:

The cybercriminals make a file called ktzerules accessible on the Kad network. The file is encrypted and contains a list of commands for TDSS.
Computers infected with TDSS receive the command to download and install the kad.dll module.
Once installed, kad.dll downloads the file nodes.dat, which contains the publicly accessible list of IP addresses of Kad network servers and clients.
The kad.dll module then sends a request to the Kad network to search for the ktzerules file.
Once the ktzerules files has been downloaded and encrypted, kad.dll runs the commands which ktzerules contains.

Encrypted kad.dill updates found on the Kad network

Below is a list of commands from an encrypted ktzerules file.

SearchCfg – search Kad for a new ktzerules file
LoadExe – download and run the executable file
ConfigWrite – write to cfg.ini
Search – search Kad for a file
Publish – publish a file on Kad
Knock – upload a new nodes.dat file to the C&C which contains a list of Kad server and clients IP addresses, including those infected with TDSS.

The most interesting command is Knock. This command allows the cybercriminals to create their own Kad P2P, the clients of which are exclusively TDSS-infected computers.

How publicly accessible and closed KAD networks overlap

Skipping on down...

2 comments

Oldest first

Newest first

Threaded view

Table view

Christophe Brocas

2011 Jun 27, 13:49

TDLx detection DNS

Thank you for this analysis :)

In corporate environment, a http/https proxy is often (almost always) used. Proxies do the DNS name request and not individual desktops.

My question : does TDL4 malware try to do direct HTTPS access to its C C server first before eventualy try the corporate proxy ? If so, TLD4 infected PCs can be detected in corporate DNS server logs.

Every DNS request to resolv Internet domains coming from PCs and not corporate proxies can be interpreted as signals on infection on that PCs.

Am I right or totally wrong (I think I am wrong ... too simple solution to be the right one but I ask ...) ?

Thank you for your reading and answer :)
Chris.

Sergey Golovanov

2011 Jun 27, 15:23

Re: TDLx detection DNS

Surprise! You are right) So you can detect tdl4 connections over proxy.

If you would like to comment on this article you must first

Read More...
http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot

About

Sergey Golovanov

All analysis articles

All blog postings

Igor Soumenkov

All analysis articles

Analysis

TDSS. TDL-4

TDSS

Kaspersky Security Bulletin 2009. Malware Evolution 2009

Bootkit 2009

Kaspersky Security Bulletin: Malware evolution 2008

Blog

Financial data stealing Malware now on Amazon Web Services Cloud

TDSS loader now got "legs"

MAX++ sets its sights on x64 platforms

An unlikely couple: 64-bit rootkit and rogue AV for MacOS

Understanding Current Trends in the Fake Anti-Virus/Scareware Ecosystem

Source

Kaspersky Lab

November 16, 2010, 11:02AM

TDL4 Rootkit Bypasses Windows Code-Signing Protection

by Dennis Fisher

In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running. But attackers are continually finding new ways around those protections, and the latest example is a rootkit that can bypass the Windows driver-signing protection.

The functionality is contained in TDL4, which is the latest version of an older rootkit also known as TDSS and Alureon. TDSS has been causing serious trouble for users for more than two years now, and is an example of a particularly pernicious type of rootkit that infects the master boot record of a PC. This type of malware often is referred to as a bootkit and can be extremely difficult to remove once it's detected. The older versions of TDSS--TDL1, TDL2 and TDL3--are detected by most antimalware suites now, but it's TDL4 that's the most problematic right now.

TDL4 has a specific function that is designed to bypass a protection in Windows 7 and Windows Vista that requires kernel-level code loaded onto a machine to be signed. The Windows kernel-mode code signing policy is mainly applicable on 64-bit machines.

Editor's Pick

"Starting with Windows Vista, kernel-mode code signing enforcement is implemented by a component known as Code Integrity. Code Integrity is a feature that improves the security of the operating system by verifying the integrity of a file every time that the image of the file is loaded into memory. The function of Code Integrity is to detect if an unsigned driver is being loaded into kernel-mode, or if a system binary file has been modified by malicious code that may have been run by an administrator," Microsoft says in its explanation of the functionality.

The TDL4 rootkit has implemented a feature that evades this protection by changing the boot process on protected machines, according to an analysis of TDL4 by Sunbelt Software. The rootkit accomplishes this by going in and modifying which programs Windows will allow to load an unsigned driver.

"The boot option is changed in memory from the code executed by infected MBR. The boot option configures value of a config setting named 'LoadIntegrityCheckPolicy' that determines the level of validation on boot programs. The rootkit changes this config setting value to a low level of validation that effectively allows loading of an unsigned malicious rootkit dll file. The rootkit dll is kdcom.dll, which is an infected version normal kdcom.dll that ships with Windows," Sunbelt's Chandra Prakash wrote in the TDL4 analysis.

Read More...
http://threatpost.com/en_us/blogs/tdl4-rootkit-bypasses-windows-code-signing-protection-111610

There are ways to Delete these types of Trojans. I routeenely Restore - Rewrite a corrupted MBR with any of many Live Linux Restore CD's like, Parted Magic or System Rescue CD. Super Grub Disk works great on Grub 1, but I haven't been sucessful with the new version for Grub 2 yet (as of 06-29-11). Or you can forget all of your Windows Worries by just by Installing one of my favorite Linux Distros, like Fedora, ArtistX, Mint or Debian!;) The Best Windows Boot CD that I have found, for fixing - repairing many Windows Problems is Hiren's BootCD. Check it out here...
http://www.hiren.info/pages/bootcd

And UBCD is great for DOS Apps for fixing many Hard Drive Related issues. Ultimate Boot CD is completely free for the download...
http://www.ultimatebootcd.com/

Don