Trend Micro TOTW wrote:
TDSS: The invisible threat
The name ‘TDSS’ was derived from a string that was consistently seen in the dropped component files and registry entries of early TDSS variants. Later variants feature random strings, further adding to detection difficulties.
The make-up of early TDSS
Earlier TDSS variants consisted of three main components: a dropper, a rootkit component, and a .DLL file which performed the final payload. Later variants were found to be standalone .EXE files, which executed the same routine.
The three stages of a classic TDSS attack
Stage one:
Upon execution, TDSS drops a .TMP file. The file, whose file name varies, performs the initial installation of all other malicious components.
Installation begins by the malware registering itself as a system service. To do this, the dropped .TMP file copies a legitimate Microsoft Windows .DLL file and modifies it to load the .TMP file. It then exploits a vulnerability on the Microsoft Windows ‘Known DLLs’ list to add the previously modified DLL into the list of .DLL files to be loaded into memory.
Once completed, the MSISERVER service is restarted to load the modified DLL, thus effectively registering the dropped .TMP file as a system service. Once loaded into memory, the .TMP file creates the file %System%drivers/TDSSserv.sys. This serves as the rootkit component that hides the malicious files and processes.
Stage two:
The TDSS rootkit component hooks functions in the kernel that allows it to hide files, registry entries, and processes. It also terminates certain processes, specifically those related to antivirus programs.
In simple terms, TDSS fools the system into thinking the malware is just any other normal process, and then creates a rootkit component that hides all evidence of it doing so.
Stage three:
Once the rootkit component has been deployed, it drops a .DLL file into the %System% folder. The file is injected into SVCHOST.EXE, during which it downloads more component files from the Internet.
Downloaded component files include configuration files containing commands to execute, plus URLs for downloading more files from. It performs both HTTP GET and HTTP POST requests from and to these URLs, saving downloaded files in the affected system.
The downloaded files contain commands that can be executed by a remote user on the affected system, including:
Check command version
Display popup advertisements
Download other files (other DLL files and updated copy of TDSSserv.sys)
Load certain modules from downloaded .DLL files
Prevent programs, mostly antivirus applications, from running on the affected system
Set command delay
Upload log files (error logs, list of processes, OS version)
Same threat – different commands
As different content is downloaded from different URLs, it is possible for the executed commands to differ from one system to another. The nature of executed commands may also depend on what particular malware is using TDSS as a component.
A constantly evolving threat
New variants of TDSS malware modify the ATAPI.SYS file, Microsoft’s .SYS file for standard integrated development environment (IDE)/Enhanced Small Device Interface (ESDI) hard disk controller, instead of dropping its own SYS components. Other files that TDSS variants patch are IASTOR.SYS and NVSTOR32.SYS.
TrendLabs investigates…
This February, a Microsoft security update for Windows - patch MS10-015 - became the cause of a series of blue screen crashes. An entry on the official Microsoft Blog was published soon after, announcing that the distribution of the Windows Update was suspended. However, the company also issued a statement that the cause of the BSoD error may have been malware related.
During analysis, Trend Micro TrendLabs engineers found that TROJ_TDSS.AJD patches atapi.sys, which turns the .SYS file into a rootkit detected as TROJ_TDSS.SME. This caused updated systems to crash after installing the security update.
Now stealthier than ever
Arriving as an encrypted file with anti-debugging routines, efforts to evade detection begin immediately. Through code swinging, the malware uses several call instructions to jump to different locations in order to confuse analysts reading the code.
TDSS also prevents immediate full analysis by hiding its code. Some variants have been found to have multiple encryption layers, requiring the malware code to be decrypted part by part. This prevents analysts from seeing the entire main algorythm.
The root of the problem?
Security analysts consider the component of TDSS that keeps them in the dark is the rootkit. By disabling this, all malicious files, processes, and components are placed into view, making analysis easier to conduct.
http://www.theeldergeek.com/windows_installer.htm. Windows Installer Service. Microsoft Service Description: Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package.