« January 2012 | Main | July 2011 »

Wednesday, December 14, 2011

TDSS infection

Not really an electronics post but details my problems in getting rid of a TDSS infection. TDSS is a rather elegant (or nasty depending on how you feel after being infected) rootkit. I figured it out rather easily once I had become infected which was likely as a result of reading a paper about TDSS in April of 2010. What happened was that I was visiting a rather shady site and my Firefox download page appeared but nothing appeared to be downloaded. I left the computer a few minutes later and when I returned in an hour or so, my laptop was in the middle of a reboot. This was very annoying as I had no way of stopping the disk check that had started. Considering that this process needed to be done I left it alone for another couple of hours to finish the disk check. When I returned, it gave a cryptic disk failure error and wasn't able to boot.

This is where I got worried as I've had SMART information from my HDD telling me that it's getting old and time for a replacement. First order of business was to copy all information to a USB disk drive and so I rebooted the machine into safe mode with DOS. This it did just fine (the DOS part) but then the C: drive appeared to be empty. This was somewhat disconcerting, especially as the USB drive I was going to copy files to was also empty but had no free disk space. For some obscure reason I typed in:

dir c: /a:h

and suddenly all the files in root directory appeared. I still hadn't clued into the fact that I'd been infected with malware at this point and decided to remove the hidden tags on files with:

attrib C:\ -H /S /D

what the command above does is to remove the hidden attribute from all files and directories. Actually I forgot about the directory bit initially and had to run the command twice which was very annoying. Once I was able to find my copy of Restorer 2000 (a very usefull program that has saved my ass more than once) I initiated an image copy of my C: drive to a file image on the USB hard drive.

While waiting for this image copy to finish, I started poking around my laptop and found that Task Manager was disabled. This was very odd. I did manage to launch Process Explorer and there didn't appear to be anything amiss in the minimalist system that runs in safe mode. Out of curiousity I launched WinHex to take a look at my hard drive and this is when I first became aware that I was infected. I have an 80 Gb HDD on my TC4400 laptop which, for some unknown reason, has an unused 10 Mb of disk space at the end of the drive. What WinHex showed me was that I had an extra drive on my system of 10 Gb in size. This appeared to have an NTFS boot sector but was only about 750 Kb in size which I found out when I copied with with WinHex.

This was when I went to the internet and found out that the disappearing icons and files were a symptom of a TDSS rootkit infection. This was somewhat discouraging, especially as TDSS has a nasty habit of presenting a perfectly normal system picture to the user while it controls the system.

Perhaps my response to infections of this nature is a bit different than other peoples as I view them as an interesting problem to be solved. Once I had backed up my system to an image file and verified that all of my files were safe, I undertook the process of engaging in combat with TDSS. The removal of hidden attributes from all files made my XP system bootable except I was presented with a blank blue screen and a task bar. Using cmd.exe, I launched all of the programs that I needed for my assault on TDSS. This version of TDSS didn't terminate Process Explorer. The first order of business was to also launch regedit to find out where this piece of malware was hiding. The program was quickly found as one that was to be run at startup and I neutralized it by changing the file extension. I had my WiFi card turned off as whenever it was turned on there would suddenly be a stream of packets to and from my machine.

I started up Wireshark to capture all packets sent to and from my machine and then enabled WiFi. What was curious was that I suddenly had a lot of cookie setting requests and there was no web browser running. Tracking down where these were coming from led to Explorer and terminating explorer would cause a cessation of the internet activity. Then it was a matter of launching explorer and terminating threads one by one until the internet activity stopped (or Explorer crashed). It didn't take long to narrow the internet activity to Flash related threads as killing these threads resulted in total silence on the internet.

Things still weren't back to normal as the rogue process would appear periodically sending out huge amounts of network traffic which I watched with TCPview. Killing Explorer stopped this process. When I'd finally neutralized Explorer takeover by renaming all Flash related files to *.vir, I had a system which was almost back to normal. I thought I'd dealt with the infestation as things seemed quiet but then suddenly network activity started up again. This resulted in a second search for what might be involved and found an internet related thread which was killed. Note: there were two threads one of which was WININET.dll!InternetLockRequestFile+0x17f9 and another which was similar but I think ended in wait for object. The latter thread was left alone and the first one was killed and this resulted in TDSS going to sleep for the rest of the night as there was only normal network activity picked up by Wireshark.

I hadn't rebooted yet and didn't feel like manually editing my partition table yet so I thought I'd try Firefox and, sure enough, lots of internet activity besides what I was doing started up. TDSS is intelligent enough to not interfere with normal browsing but when I did a Google search, suddenly I was being redirected to ad sites. At this point I'd had enough and ran TDSSKiller program which really only fixed the boot sector leaving the infection behind on the partition that TDSS had created. The version of the program that infected my machine was Rootkit.boot.SST.b

Looking at my image disk copy reveals that TDSS grabbed the 10 Mb of unallocated space at the end of my hard drive and created an NTFS partition there. It loaded its own bootloader and modified the disk MBR to boot from the partition it created. I was able to see this partition in the XP Disk Management tool but had to launch the tool via the command line a TDSS deleted all references to it from both the programs menu and control panel. Haven't run IDAPro on the boot code yet, but it's clear that when the infected system is rebooted the TDSS bootloader program is started which presumably executes code which modifies XP disk drivers so that TDSS is hidden from the OS. I haven't experienced this form of TDSS as it revealed itself so obviously when it hid all of the files on my disk. Whether this is deliberate or a bug I have no way of knowing. Maybe the average user, when faced with this situation, will just reboot again and it may be that one more reboot was required to create a system where TDSS is completely hidden. My response to a system which appears to be malfunctioning is to reboot into safe mode with DOS and do an immediate backup to an external drive before I do anything else.

TDSS left a couple of potentially usefull DLL's behind whose entry point names suggest that they're capable of executing low-level disk operations. When I have more time will play with these tools as well as disassembling the .tmp file that TDSS dropped into my temp directory. From what I've read thus far on the internet about TDSS, apparently it's capable of evading most anti-viral programs. That's probably why I caught it as I use no antiviral software. All of the antiviral programs I use run in my wetware and, whenever a computer starts to behave strangely, I start using my hacking tools to see WTF is going on with it. What's concerning is that the Kaspersky TDSSKiller program just changed pointers in the MBR and dumping out the end of my HDD with WinHex revealed that the TDSS created NTFS partitiion is still there will all of the TDSS boot code. Most of the TDSS code is encrypted as running the WinHex AnalyzeBlock function on the TDSS created partition shows that every byte has almost equal occurrence probability which means that whatever encryption/compression function TDSS uses does a damn good job of simulating white noise.

Being able to almost kill TDSS just from the command line is something that feels good. I expect that if I'd manually edited the MBR to boot from the primary NTFS filesystem that TDSS would be history as all references to the services that TDSS needed were extirpated from the registry. I might be fooling myself as TDSS is good enough to modify windoze sys files and fudge the checksums so that the windoze system respore process won't replace them with pristine copies. There's some very interesting material on this rootkit and it's modifications on the following site. I've already spent far too much time on this problem but it's the type of thing I do enjoy doing. NOTE: how TDSS depends very much on the details of each individual system and you can't count on being as lucky as I was in being able to play around with the rootkit like I did.

Last edited 15/12/2011 T:=00:19

Posted by Boris Gimbarzevsky at 8:14 PM
Categories: Pure software