TDL3: The Rootkit of All Evil?

Printable View

December 20th, 2010, 08:01 PM
brokencrow

TDL3: The Rootkit of All Evil?

TDL-3's been "in the wild" for some time (2008?) from everything I can tell,
but this weekend was the first time I've run across it. I'm posting this
because I was altogether unable to get a handle on this thing until I got
this client's desktop on the bench, and to make others aware there are
increasingly sophisticated rootkits out there.

My SOP (standard operating procedure, aka SOB) simply was not fixing this
thing. I'd run Spybot and Malwarebytes only to have them come up clean.
Antivir would clean malicious files, a dozen in one day at one point, but also
seemed unable to get to the root (no pun intended) of what was going on.
Basically what was occurring was this client's PC would get reinfected, and
was running slow as well as suffering redirects from a Google search page (a
primary symptom it turns out).

Combofix, my "last resort" app found it, supposedly removed it on a reboot,
only to have the thing return. There's a dropper in there somewhere. Finally
I found a Kaspersky tool, which is available here:

http://support.kaspersky.com/downloa...tdsskiller.zip

Running TDSSkiller turned up the rootkit as HD0, which is unusual to say the
least. I did run a system file check ("sfc /scannow" from the Windows shell)
after finally getting this thing cleaned out as insurance. The computer I was
working on was a 32 bit XP install, but this also infects 64 bit systems supposedly.

ESET's got a whitepaper out on the rootkit and how it works. It apparently
disguises itself as hardware.

http://www.eset.com/resources/white-...3-Analysis.pdf

And here's another white paper from Kaspersky's techs:

http://www.securelist.com/en/analysis/204792131/TDSS

HTH, brokencrow
December 21st, 2010, 01:29 AM
brokencrow

A quick read of some of the white papers on TDL-3 yields this:

"On a side note: the dropper won't infect the system if it runs in a
limited account or in an account with UAC activated."

http://www.prevx.com/blog/155/x-TDL-...follow-up.html

UAC is by no means bulletproof though, although setting it to its highest
level appears to help (what a pain). Microsoft backed off on the UAC
setting with Win7, defaulting the security level lower than it is in Vista.
And of course, this does nothing on XP installs. TDL-3 appears to have
been circulating since August of this year. There are two previous versions.
December 21st, 2010, 04:23 AM
brokencrow

However, on x64 platforms kernel-mode rootkits do not feel so at ease, both on x86 systems. This is one of the factors to choose the method of infection computer - infected MBR. Another factor is that most modern anti-virus technologies, primarily anti-rootkit technology, not ready to deal with threats to the x64 platform, and it strongly makes life easier for virus writers.

"Armed to the teeth» TDL-4 is a very serious danger to users - and continues to evolve. Antivirus companies urgently need to build upon their own anti-rootkit components, as in the case of a rootkit infection data for ordinary users will simply leave no chances.

http://www.securelist.com/ru/analysi...674/TDSS_TDL_4

Why do I get the feeling x86 systems are really fecked going forward?
December 21st, 2010, 04:27 AM
brokencrow

Question: does formatting a HDD overwrite the MBR? Anybody know? This client
had an MBR virus a couple of months back, and I used a utility called MBRfix from
a PE disk to restore it. I've seen a few posts on the forums I've been thru that seem
to indicate it is not unusual for a computer to become reinfected after formatting.
December 21st, 2010, 10:07 AM
Cider

Hi BC,

We have had this issue a few times at clients of ours. I was able to get some samples to our LAB dept for this and it is available in our signature file , both official and beta.

For these kinds of things , forget about cleaning it inside a windows shell. Boot up with our SAFE CD http://www.pandasecurity.com/homeuse...010/en/241.htm.

It has the ability to pick up an IP from a DHCP source and then download our latest signature file and scan.

Just remember that it is extremely difficult for AV vendors to mess around with the MBR and rootkits in general because one incorrect disinfection can corrupt the partition this forcing a format of the HDD.

I will ask the manager at Panda Labs to give me some more information on this malware and will pass it onto you.

EDIT

This is what my LAB guys came back with.

TDSS is a very complex rootkit. When it is loaded and hooks are installed on the system, is very difficult to attack it For this reason we decided the best way to attack this rootkit is attacking it before it was fully installed.
The rootkit use lot of tricks to hide itself: it hides itself in disk sectors, it hooks dispatch routines of the miniport driver of the hard disk that is infected to hide the sectors, some versions infects system drivers instead of install its own driver to stay alive after rebooting, ...

Some versions of the virus install a boot driver and other versions infects disk drivers: atapi.sys, iastor.sys,... This piece of code is responsible for loading the rest of the rootkit (stored in disk sectors). If we stop the rootkit before it was able to load the part stored in disk sectors, we will be able to clean the system from user mode.

TDSS needs to wait until the file system was loaded to get the code stored in disk sectors. Sometimes it installs a file system notify routine with IoRegisterFsRegistrationChange. Other times (when it infects atapi, iastor,...) it hooks MJ_DEVICE_IO_CONTROL handler of the infected driver for waiting a io control (when that iocontrol is received TDSS knows the file system is loaded).

How can we attack TDSS? We install a boot driver and try to load it as soon as possible (using SYSTEM\CurrentControlSet\Control\ServiceGroupOrder for example). We also install a callback with PsSetLoadImageNotifyRoutine so that we can analyze entrypoint of the loaded images searching for the rootkit code. If we find the code, we stop the execution at that moment (by overwriting the code in the entry point, or restoring the execution to the old entrypoint,...). Doing that the rootkit is out and we will be able to clean the system from user mode.
December 22nd, 2010, 03:34 AM
Wazz

Hitman Pro is the only proggie that I have found to clean it 100%......I also as a rule always reformat the MBR and Repair the Boot.....Happy Hunting!
December 23rd, 2010, 07:50 AM
westin

Rootkits continue to become scarier and scarier. The research in hardware rootkits frightens the crap out of me.

I have not heard of Hitman Pro... care to elaborate on some of the features or pros/cons?
December 26th, 2010, 12:37 AM
romanticcowboy

hitman pro is a cloud anti malware scanner i ran it out of curousity it even showed two old vmware program files that were affecting connectivity to my router, it is a 30 day trial version
January 3rd, 2011, 09:43 PM
brokencrow

My client had a TDL4 infection, and TDSSkiller (free download from Kaspersky) was quite effective at cleaning it up. This issue is two weeks out now and the computer has not been reinfected.

The rootkit hid itself as HD0, that is, as a piece of hardware. I also ran a system file check (sfc /scannow) which I am often given to do on badly infected systems.