So this time we are dealing with a botnet which has been
termed “Practically Indestructible” by Kaspersky Labs. Although this statement
really sounds surprising but facts are facts and cannot be changed. The TDL
malware family currently has TDL 4 (fourth generation) as its latest
inventions. It dates back from the Aleuren rootkit which started back in 2006 and
has lately earned the name of “the most sophisticated threat today”. It
specializes in the tricks in the box to remain hidden and evade antivirus
detection. To add more to the problems, the communications are totally
encrypted. It contains a rootkit component for malicious user control and is
capable of forming botnets for carrying various offensive attacks like Ddos,
spamming, spyware etc. This bot is well
known for hiding in the master boot record of the system and gains control
during the booting process. One of the first versions were detected by
Kaspersky Labs were in 2008 as Rootkit.Win32.Clbd.a similar to the names
of the driver clbdriver.sys, clbdll.dll, which deliver the main payload.
It has been specially designed for profit since the authors pay $20-$200 per
1000 bots of infected machines. These are then rented out to others as a botnet
for malicious purposes as defined above. It is equipped to wipe off any other malwares
which may be previously there on the infected computer to avoid competition
from other malwares.
TDL
Communications
The communications in TDL 4 take place using the Kad
Network. The kad network is a peer to peer network which implements the
Kademlia P2P Protocol which is a distributed hash table for decentralized peer
to peer networks. The nodes communicated with themselves using UDP in a virtual
or overlay network formed by the participant nodes. The TDL attackers may as
well manipulate the nodes.dat file to segregate TDL infected bots from other
computers on the Kad network. The TDL is also known for downloading other
malwares, pornographic and copyright stuff onto the infected machines. The best
part of the communications being on a peer to peer network is that there is no
centralized server and the communications are distributed in nature. So if any
one server gets caught in the act or blacklisted we still have a lot of nodes
up in there.
Infection
Analysis/Modus Operandi
The TDL is known to be spread by fake blogs, pornographic
websites and malicious URLs. The trojan has also been found in peer to peer
downloads, torrent files, software crack exe’s and a lot of good websites which
have been owned in the act and planted with these exploit downloads.
Functionality of the TDL
·
Generating web traffic
·
Installing pay per install software
·
Generating sales lead for other websites
·
Manipulating web search results to redirect
users to malicious sites
·
Displaying bogus pop up advertisements
·
Downloading other malicious softwares,
malwares to increase infection on the system
·
Protecting the registry keys and files which
might be critical
·
Injecting malicious code in various system
processes as well as hiding networking ports
TDL
BSOD Incidences
MS10-015 / KB977165 patches by Microsoft caused
the relative virtual addresses to be changed for certain APIs thereby calling
invalid addresses. This in turn caused blue screen of deaths for the systems
having infected driver files such as atapi.sys. To add in to the confusion the
user was stuck in an infinite loop of system restarts since the system failed
to start on because of the infected driver file. Even the safe mode option did
not work and the infected user was left alone to reinstall the infected driver
to restore his usability.
Few of the common drivers which got infected
by TDL other than atapi.sys are - iastor.sys idechndr.sys ndis.sys nvata.sys vmscsi.sys.
Removal tools by various Antivirus Vendors
·
Backdoor.tidserv
removal tool by Symantec
·
Removal
tool by Bitdefender
·
Kaspersky
TDSS Killer
Suspected
Ip address and domains
As per symantec’s research, listed here are a few ip
addresses for which access should be blocked using a firewall on the user
computer
·
1il1il1il.com
·
69b69b6b96b.com
·
b00882244.cn
·
b11335599.cn
·
countri1l.com
·
d45648675.cn
·
d92378523.cn
·
gnarenyawr.com
·
ikaturi11.com
·
jukdoout0.com
·
lkaturl71.com
·
m3131313.cn
·
ranmjyuke.com
·
rinderwayr.com
·
stableclick.com
·
stableclick2.com
·
swltcho0.com
·
updatemic0.com
·
updatemic1.cn
·
updatepanel.us
References
No comments:
Post a Comment