Search My Blog

Wednesday, June 29, 2011

TDL4 Root Kit Biggest Botnet - So Far... Are you in it!???

TDL4 – Top Bot

TDSS variants

The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today. TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.

Its creator calls this program TDL. Since it first appeared in 2008, malware writers have been perfecting their creation little by little. By 2010, the latest version was TDL-3, which was discussed in depth in an article published in August 2010.

The creators of TDSS did not sell their program until the end of 2010. In December, when analyzing a TDSS sample, we discovered something odd: a TDL-3 encrypted disk contained modules of another malicious program, SHIZ.

TDL-3 encrypted disk with SHIZ modules

At that time, a new affiliate program specializing in search engine redirects had just emerged on the Internet; it belonged to the creators of SHIZ, but used TDL-3.

The changes that had been made to the TDL-3 configuration and the emergence of a new affiliate marketing program point to the sale of TDL-3 source code to cybercriminals who had previously been engaged in the development of SHIZ malware.

Why did the creators of TDL decide to sell source code of the third version of their program? The fact is that by this time, TDL-4 had already come out. The cybercriminals most likely considered the changes in version 4 to be significant enough that they wouldn't have to worry about competition from those who bought TDL-3.

In late 2010, Vyacheslav Rusakov wrote a piece on the latest version of the TDSS rootkit focusing on how it works within the operating system. This article will take a closer look at how TDL-4 communicates with the network and uploads data to the botnet, which numbered over 4.5 million infected computers at the time of writing.

Yet another affiliate program

Skipping on down...

Part of the code modified to work with the TDL-4 protocol.

Upon protocol initialization, a swap table is created for the bot's outgoing HTTP requests. This table is activated with two keys: the domain name of the botnet command and control server, and the bsh parameter. The source request is encrypted and then converted to base64. Random strings in base64 are prepended and appended to the received message. Once ready, the request is sent to the server using HTTPS.

The new protocol encryption algorithm for communications between the botnet control center and infected machines ensures that the botnet will run smoothly, while protecting infected computers from network traffic analysis, and blocking attempts of other cybercriminals to take control of the botnet.

An antivirus of its own

Just like Sinowal, TDL-4 is a bootkit, which means that it infects the MBR in order to launch itself, thus ensuring that malicious code will run prior to operating system start. This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.

TDL nimbly hides both itself and the malicious programs that it downloads from antivirus products. To prevent other malicious programs not associated with TDL from attracting the attention of users of the infected machine, TDL-4 can now delete them. Not all of them, of course, just the most common.

TDSS module code which searches the system registry for other malicious programs

TDSS contains code to remove approximately 20 malicious programs, including Gbot, ZeuS, Clishmic, Optima, etc. TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them.

This 'antivirus' actually helps TDSS; on the one hand, it fights cybercrime competition, while on the other hand it protects TDSS and associated malware against undesirable interactions that could be caused by other malware on the infected machine.

Which malicious programs does TDL-4 itself download? Since the beginning of this year, the botnet has installed nearly 30 additional malicious programs, including fake antivirus programs, adware, and the Pushdo spambot.

TDSS downloads

Notably, TDL-4 doesn't delete itself following installation of other malware, and can at any time use the r.dll module to delete malware it has downloaded.

Botnet access to the Kad network

One of the most outstanding new features of TDL-4 is the kad.dll module, which allows the TDSS botnet to access the Kad network. So what do the cybercriminals want with a publicly accessible file exchange network?

We have known about botnets controlled via P2P for some time now, although until now, these were closed protocol connections created by the cybercriminals themselves. In contrast, TDSS uses a public P2P network in order to transmit commands to all infected computers in the botnet. The initial steps of how TDSS makes use of Kad are given below:

  1. The cybercriminals make a file called ktzerules accessible on the Kad network. The file is encrypted and contains a list of commands for TDSS.
  2. Computers infected with TDSS receive the command to download and install the kad.dll module.
  3. Once installed, kad.dll downloads the file nodes.dat, which contains the publicly accessible list of IP addresses of Kad network servers and clients.
  4. The kad.dll module then sends a request to the Kad network to search for the ktzerules file.
  5. Once the ktzerules files has been downloaded and encrypted, kad.dll runs the commands which ktzerules contains.

Encrypted kad.dill updates found on the Kad network

Below is a list of commands from an encrypted ktzerules file.

  • SearchCfg – search Kad for a new ktzerules file
  • LoadExe – download and run the executable file
  • ConfigWrite – write to cfg.ini
  • Search – search Kad for a file
  • Publish – publish a file on Kad
  • Knock – upload a new nodes.dat file to the C&C which contains a list of Kad server and clients IP addresses, including those infected with TDSS.

The most interesting command is Knock. This command allows the cybercriminals to create their own Kad P2P, the clients of which are exclusively TDSS-infected computers.

How publicly accessible and closed KAD networks overlap

Skipping on down...


Oldest first
Threaded view

Christophe Brocas

2011 Jun 27, 13:49

TDLx detection DNS

Thank you for this analysis :)

In corporate environment, a http/https proxy is often (almost always) used. Proxies do the DNS name request and not individual desktops.

My question : does TDL4 malware try to do direct HTTPS access to its C C server first before eventualy try the corporate proxy ? If so, TLD4 infected PCs can be detected in corporate DNS server logs.

Every DNS request to resolv Internet domains coming from PCs and not corporate proxies can be interpreted as signals on infection on that PCs.

Am I right or totally wrong (I think I am wrong ... too simple solution to be the right one but I ask ...) ?

Thank you for your reading and answer :)


Sergey Golovanov

2011 Jun 27, 15:23

Re: TDLx detection DNS

Surprise! You are right) So you can detect tdl4 connections over proxy.

If you would like to comment on this article you must first


November 16, 2010, 11:02AM

TDL4 Rootkit Bypasses Windows Code-Signing Protection

TDL4In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running. But attackers are continually finding new ways around those protections, and the latest example is a rootkit that can bypass the Windows driver-signing protection.

The functionality is contained in TDL4, which is the latest version of an older rootkit also known as TDSS and Alureon. TDSS has been causing serious trouble for users for more than two years now, and is an example of a particularly pernicious type of rootkit that infects the master boot record of a PC. This type of malware often is referred to as a bootkit and can be extremely difficult to remove once it's detected. The older versions of TDSS--TDL1, TDL2 and TDL3--are detected by most antimalware suites now, but it's TDL4 that's the most problematic right now.

TDL4 has a specific function that is designed to bypass a protection in Windows 7 and Windows Vista that requires kernel-level code loaded onto a machine to be signed. The Windows kernel-mode code signing policy is mainly applicable on 64-bit machines.

"Starting with Windows Vista, kernel-mode code signing enforcement is implemented by a component known as Code Integrity. Code Integrity is a feature that improves the security of the operating system by verifying the integrity of a file every time that the image of the file is loaded into memory. The function of Code Integrity is to detect if an unsigned driver is being loaded into kernel-mode, or if a system binary file has been modified by malicious code that may have been run by an administrator," Microsoft says in its explanation of the functionality.

The TDL4 rootkit has implemented a feature that evades this protection by changing the boot process on protected machines, according to an analysis of TDL4 by Sunbelt Software. The rootkit accomplishes this by going in and modifying which programs Windows will allow to load an unsigned driver.

"The boot option is changed in memory from the code executed by infected MBR. The boot option configures value of a config setting named 'LoadIntegrityCheckPolicy' that determines the level of validation on boot programs. The rootkit changes this config setting value to a low level of validation that effectively allows loading of an unsigned malicious rootkit dll file. The rootkit dll is kdcom.dll, which is an infected version normal kdcom.dll that ships with Windows," Sunbelt's Chandra Prakash wrote in the TDL4 analysis.


There are ways to Delete these types of Trojans. I routeenely Restore - Rewrite a corrupted MBR with any of many Live Linux Restore CD's like, Parted Magic or System Rescue CD. Super Grub Disk works great on Grub 1, but I haven't been sucessful with the new version for Grub 2 yet (as of 06-29-11). Or you can forget all of your Windows Worries by just by Installing one of my favorite Linux Distros, like Fedora, ArtistX, Mint or Debian!;) The Best Windows Boot CD that I have found, for fixing - repairing many Windows Problems is Hiren's BootCD. Check it out here...

And UBCD is great for DOS Apps for fixing many Hard Drive Related issues. Ultimate Boot CD is completely free for the download...

TDL-4 the name for both the bot Trojan
tdl-4 trojan - Google Search
tdl-4 - Google Search
Massive botnet 'indestructible,' say researchers - Computerworld
TDL4 Rootkit Bypasses Windows Code-Signing Protection | threatpost
TDSSkiller / TDL4 - Norton Community
TDSS. TDL-4 - Securelist
TDL4 – Top Bot - Securelist
Rootkit.Win32.TDSS.tdl4 that won't go away? - Malwarebytes Forum
TDL4 persistent. ComboFix found it 3 times and disinfected it 3 times! Hitman found MBR.exe. - Malwarebytes Forum
YouTube - ‪TDL4 rootkit removal using Warrior CD‬‏
YouTube - ‪UnHackMe detects and kills TDL3++ (or TDL4) rootkit under Windows Seven 64 bit‬‏
YouTube - ‪greatissoftware's Channel‬‏
greatissoftware - Google Search
Greatis Software - Software Publisher Profile - CNET Downloads
Products and Services - Greatis Software
RegRun Warrior - Removing rootkits is best done from the clean Windows - Greatis Software
RegRun Reanimator - free Trojan/Adware/Spyware removal tool - Greatis Software
bartpe - Google Search
Bootable CD's
Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD
bartpe - Google Search
bernards bootable cd - Google Search
hirens boot cd 11 - Google Search
Hiren's BootCD 12.0 - All in one Bootable CD »
DonsDeals: Rootkit infection requires Windows reinstall, says Microsoft - Computerworld
hirens boot cd 11 - Google Search
YouTube - ‪Hirens Boot CD v 13‬‏
YouTube - ‪Reset Password Windows XP/Vista/7 by Hiren's BootCD‬‏
ubcd - Google Search
YouTube - ‪Ultimate Boot CD‬‏
YouTube - ‪UBCD4Win - How I Use Ultimate Boot CD For Windows‬‏
YouTube - ‪Boot the Ultimate Boot CD as an ISO file from a USB flash pen drive‬‏
ubcd - Google Search
Ultimate Boot CD - Overview

No comments: