Thursday, June 30, 2011

TDL4 (TDSS family) Rootkit

TDL4 (TDSS family) Rootkit:

Q1 2011 was the most active first quarter in malware history. One of the dangerous one is TDL4, it's claimed to support all versions of Microsoft Windows, since XP including Windows 7 sp1, inclusive, and supports both x86 and AMD64 (EM64T).
TDL4 (Alurion ???) is the fourth generation of the TDSS Rootkit which hides itself on a system by infecting system files/drivers like atapi.sys, a common target because it loads early during the boot process and is difficult to detect. Newer variants, however, can target a number of other legitimate drivers in the Windows drivers folder and the Master Boot Record (MBR). Common symptoms/signs of this infection include:
• Google search results redirected as the malware modifies DNS query results.
• Infected (patched/forged) files in the Windows drivers folder.
• Infected Master Boot Record.
• Slowness of the computer and poor performance.
• Fake alerts indicating the computer is infected.
• Internet Explorer opening on its own.
• BSODs as described in this article.
The TDSS botnet, now in its 4th generation, is seriously sophisticated malware. The first response of the root kit’s authors to Microsoft's KB2506014 patch of a couple of weeks ago. This is a game of move and counter-move, and the latest development is not unexpected. The people who work on this root kit aren't going to give up, and they are technically extremely capable. This one will run and run ... and the rest of us just have to hope that TDL4 stays away from our system, because the only sure way to get rid of it is to take out your hard drive and drop it down a very deep hole. hmm.. As part of information security team I shouldn’t say this 

A brand new plug-in for TDL4 kad.dll (Win32/Olmarik.AVA) implements a particularly interesting network communication protocol. Kad.dll is intended to be injected into the 32-bit svchost.exe process. The main purpose of the module is to download and execute other malicious software on the infected system. Although there is nothing new in its functionality it differs drastically from cmd32.dll and cmd64.dll in the way it receives commands and additional modules. In contrast to other known plug-ins obtaining bot instructions from C&C servers listed in a configuration file, kad.dll relies on a P2P (Peer to Peer) network generated by other bots. It is the Kademilia Distributed Hash Table (DHT) P2P protocol which kad.dll implements in order to talk with peers over the network. In contrast to a Client-Server architecture where there is a list of dedicated C&C (Command and Control) servers that the bots should talk to, in a P2P network all the peers are equivalent: that is. each node is a C&C server and a bot at the same time. As there is no single point from which bots in a P2P bot network are coordinated , such botnets are much more resistant to takedowns than Client-Server botnets.
The Kad-protocol is a kind of DHT protocol where the information is stored as a (key, value) pair. The key is an MD4 hash of value which could be a file or a keyword (part of the file name) or a node ID. The resulting hash table is distributed between the peers. Communication between peers is performed over the TCP and UDP protocols. TCP is used to transmit a file from one node to another, while UDP is used to search files and other peers in the P2P network.
The plug-in stores the list of neighboring nodes in the nodes.dat file in TDL4’s hidden file system, which it also downloads from C&C.
McAfee Labs is now at the point where it claims to detect more than 110,000 new unique rootkits per quarter(Source: http://blogs.mcafee.com/mcafee-labs/the-new-reality-of-stealth-crimeware).
Countries with the Highest Zombie Populations in May 2011: (Source: http://blogs.mcafee.com/consumer/family-safety/dont-become-a-zombie-be-wary-of-unsolicited-emails-and-attachments-mcafee-warns)
1. India
2. Russia
3. Brazil
4. Indonesia
5. Belarus
There are some common symptoms of an infected device:
• The device is running sluggish
• Unusual activity at startup
• Internet security or virus detection software disabled
• You get e-mails from auto responders that the recipient is not online or on vacation, but you do not know the recipient
• Number of tasks running on the computer exceeds what should be running
• The device running at or near capacity

Tips to Avoid Becoming a Victim:

1. Never download or click anything from an unknown source. If you really think your friend is sending you a video clip or an electronic greeting card, double-check with the friend to be sure before you click on the link.
2. Before clicking on any links related to the news, check to see that the address is going to a well-established site. If it is a shortened URL, use a URL preview tool such as http://hugeurl.com/, to make sure it is safe to click on.
3. Buy consumer security software from a reputable, well known vendor, such as McAfee, and make sure the suite includes anti-virus, anti-spyware, anti-spam, anti-phishing, a two-way firewall, and a website safety advisor to stay protected against newly discovered malware and spam. Run the software EVERY DAY (not weekly or monthly) to make sure your machine is clear of malware.

Sources:

http://www.virus2remove.com/2011/06/tdl-tracking-peer-pressure/
http://www.virus2remove.com/2011/06/tdss-botnets-kademilia-and-collective-consciousness/
http://blogs.mcafee.com/consumer/family-safety/dont-become-a-zombie-be-wary-of-unsolicited-emails-and-attachments-mcafee-warns
http://blogs.mcafee.com/mcafee-labs/the-new-reality-of-stealth-crimeware
http://blogs.mcafee.com/mcafee-labs/memory-forging-attempt-by-a-rootkit
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fAlureon
http://www.dataprotectioncenter.com/antivirus/kaspersky/tdss-loader-now-got-legs/
http://www.dataprotectioncenter.com/antivirus/trendmicro/the-worm-the-rogue-dhcp-and-tdl4/
http://www.securelist.com/en/analysis/204792131/TDSS