PE_TDSS
Tidserv, TDSServ, Alureon, Sisron, Malex, AdClicker, DNSChanger, Ertfor, Nvv
Windows 2000, Windows XP, Windows Server 2003
Threat Type: File infector
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
TDSS, also known as Tidserv, TDSServ, and Alureon, first appeared in the middle of 2008. TDSS malware are known for their rootkit capabilities and the ability to bypass anti-malware protection. These capabilities make TDSS difficult to detect and consequently, difficult to remove from an affected system.
TDSS is often used to distribute other malware like FAKEAV and DNS changers. It is also utilized for click fraud, search engine optimization, and advertisements.
The earliest TDSS variants had three main components: a dropper, a rootkit component, and a .DLL file that performs the main routines. These three components serve different functions that make up a stealthy and persistent malware operation. The second generation TDSS variants perform the same routines but have improved stealth mechanisms.
TDL3, the third generation of TDSS, appeared during late 2009. Variants of TDL3 had a new approach of hiding its files -- storing these in the last sector of the hard disk where it cannot be seen or accessed. In order to start automatically on boot-up, TDL3 patches a legitimate .SYS file then hides the modification by hooking several APIs.
TDL4, the fourth generation of TDSS, came out in 2010. TDL4 variants infect 64-bit Windows operating systems. It modifies the Master Boot Record (MBR) enabling it to run before the OS is loaded. Like TDL3, the malware also writes its component files in the last sector of the hard disk to avoid detection.
This file infector modifies registry entries to disable various system services. This action prevents most of the system functions to be used.
TECHNICAL DETAILS
Installation
This file infector drops the following files:
- %Application Data%\Microsoft\{malware file name}.exe
- %User Temp%\{malware file name}.tmp
- %User Temp%\{malware file name}.exe
- %Windows%\{malware file name}.exe
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Windows% is the Windows folder, which is usually C:\Windows.)
Autostart Technique
This file infector creates the following registry entries to enable automatic execution of dropped component at every system startup:
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
maxhttpredirects = "{hex value}"
HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main\
featurecontrol\FEATURE_BROWSER_EMULATION
{executable name} = "{hex value}"
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
enablehttp1_1 = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\New Windows
PopupMgr = "Yes"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer
UserID = "{hex numbers}"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoFolderOptions = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\SystemRestore
DisableSR = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random letters} = "{malware path and file name}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random letters} = "{malware path and file name}"
Other System Modifications
This file infector adds the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Styles
It modifies registry entries to disable the following system services:
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings\zones\3
CurrentLevel = "0"
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings\zones\3
1601 = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
SuperHidden = "0"
HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\International
acceptlanguage = "{local}"
Other Details
This file infector connects to the following possibly malicious URL:
- http://{10 random characters}.com/index.html?{random}
- http://{10 random characters}.net/index.html?{random}
- http://{10 random characters}.org/index.html?{random}
- http://{10 random characters}.info/index.html?{random}
- http://{10 random characters}.biz/index.html?{random}
- http://{10 random characters}.in/index.html?{random}
- {BLOCKED}rch.com
- http://{BLOCKED}l01.com/
- http://{BLOCKED}3ja90a.com/
- http://{BLOCKED}10h.com/
- http://{BLOCKED}yhks66.com/
- http://{BLOCKED}ga64aa17.com/
- http://{BLOCKED}e3oo8as0.com/
- http://{BLOCKED}1s6cx0.com/
- http://{BLOCKED}gh716zzl.com/
- http://{BLOCKED}cv1.com/
- http://{BLOCKED}cv1.com/
- https://{BLOCKED}4cx00.cc/
- https://{BLOCKED}.{BLOCKED}.226.67/
- https://{BLOCKED}b0.com/
- https://{BLOCKED}b0.com/
- https://{BLOCKED}3.com/
- https://{BLOCKED}dden.in/
- https://{BLOCKED}fda88.com/
Variant Information
This file infector has the following MD5 hashes:
- a494e72401f9205179e7bc37c438e820
- 15e776c63da8c6ee89794be9af13872b
- cc997c93ff7f09ffc0bc6c72e486b156
- f3eb06452e3c9889f3a18c2fa375c000