User:Stacksth/TDSS

This is the user sandbox of Stacksth. A user sandbox is a subpage of the user's user page. It serves as a testing spot and page development space for the user and is not an encyclopedia article. Create or edit your own sandbox here.

Other sandboxes: Main sandbox | Template sandbox

Finished writing a draft article? Are you ready to request review of it by an experienced editor for possible inclusion in Wikipedia? Submit your draft for review!

Alureon (also known as TDSS/TDL/Tidsserv) is a trojan and bootkit which is designed, amongst other things, to steal data by intercepting a system's network traffic and searching it for usernames, passwords and credit card data.^[1] Following a series of customer complaints, Microsoft determined that Alureon was the cause of a series of BSoD problems on some 32-bit Microsoft Windows systems which were triggered when some invalid assumptions made by the malware author(s) were broken by Patch Tuesday update MS10-015.^[2]^[3]

According to research by Microsoft, Alureon was the second most active botnet in the second quarter of 2010.^[4]

Alias[edit]

This Trojan is known as Alureon, TDSS and TDL (multiple versions such as TDL-3 or TDL-4).
Antivirus examples:

Backdoor:W32/TDSS [F-Secure]
BKDR_TDSS [Trend]
Win32/Alureon [Microsoft]
Trojan-Dropper.Win32.TDSS [Kaspersky]
Packed.Win32.TDSS [Kaspersky]

Description[edit]

The Alureon rootkit was first seen in 2006.^{[citation needed]} PCs usually get infected by manually downloading and installing Trojan software, and has been seen bundled with the rogue security software Security Essentials 2010.^[5] When the dropper is executed, it first hijacks the print spooler service (spoolsv.exe) to write a filesystem at the end of the disk; it then infects low level system drivers such as those responsible for PATA operations (atapi.sys) to implement its rootkit. While Alureon has also been known to redirect search engines to commit click fraud, Google has taken steps to mitigate that for their users by detecting it and warning the user.^[6] Once installed, it blocks access to Windows Update and attempts to disable some anti-virus products.

The malware drew considerable public attention when a software bug in its code caused some 32-bit Windows systems to crash upon installation of security update MS10-015.^[7] The malware was using a hard-coded memory address in the kernel that changed after installation of the hotfix. Microsoft subsequently modified the hotfix to prevent installation if an Alureon infection is present,^[8] while the malware author also fixed the bug in his code.

In November 2010, the press reported that the rootkit has evolved to the point that it is able to bypass the mandatory kernel-mode driver signing requirement of 64-bit editions of Windows 7 by subverting the master boot record,^[9] something that also makes it particularly resistant on all systems to detection and removal by anti-virus software.

Infection Vectors[edit]

This Trojan is typically distributed using a number of means common to many other well-known threats. Namely it has been observed to be spread by fake blogs rigged with URLs to sensational videos that "must be seen" or bogus blog or forum comments with similar baits. The Trojan may also be found in fake Torrent files and P2P downloads, cracks and warez Web sites, and also hacked legitimate and fake Web sites rigged with exploits for various vulnerabilities allowing for what is known as a "drive-by download" to occur. ^[10]

Communication[edit]

Alureon is controled by a command and control (C&C) server from which more malicious files can be downloaded. It uses a wide range of domains to download and upload data.

Functionality[edit]

The threat uses an advanced rootkit and stealth techniques that provide highly effective cover from detection. It achieves this by:

Protecting critical registry keys by hiding them
Protecting critical files on the disk by hiding them
Injecting malicious code into system processes from a kernel-mode driver
Hiding TCP network ports
Executing some functions (terminating processes, terminating threads, hiding injected DLL modules etc.)

More recent variants also manipulate the Master Boot Record (MBR) of the computer to ensure that it is loaded early during the boot up process so that it can interfere with the loading of the operating system.^[11]

Symptoms[edit]

When infected with Alureon there will not be any obvious symptoms or indicators on the machine. The symptoms will be visible on the network when Alureon tries to connect to its C&C servers.

Propagation[edit]

Alureon is self-propagation through removable media drives and also by acting as DHCP server on the network, so it can spoof DNS to point to malicouse servers.

Prevention[edit]

Exercise caution when downloading executables.
Have fully updated anti-virus software
Ensure operating system is fully updated
Make sure patches from Microsoft like MS10-015 have been applied.

Recovery/Cleanup[edit]

While the rootkit is generally able to hide itself very effectively, circumstancial evidence of the infection may be found by examining network traffic and outbound connections (Netstat). The "FixMbr" command of the Windows Recovery Console and manual replacement of atapi.sys may be required before some anti-virus tools are able to find and clean an infection.

Status[edit]

Alureon is still active and in control of cyber-criminals

References[edit]

^ "Alureon trojan caused Windows 7 BSoD". microsoft.com. February 18, 2010. Retrieved 2010-02-18.
^ MS10-015 Restart Issues Are the Result of Rootkit Infection (threatpost)
^ "More information about Alureon". symantec.com.
^ "Most Active Botnet Families in 2Q10". Microsoft. Retrieved 2011-05-04.
^ "Microsoft Security Bulletin MS10-015 - Important". Microsoft. 2010-03-17. Retrieved 2011-04-25.
^ "Google warns of massive malware outbreak". Financial Post. 2011-07-20. Retrieved 2011-11-25.
^ "Microsoft Security Bulletin MS10-015 - Important". Microsoft. 2010-03-17. Retrieved 2011-04-25.
^ "Update - Restart Issues After Installing MS10-015 and the Alureon Rootkit". Microsoft Security Response Center. 2010-02-17.
^ Goodin, Dan (2010-11-16). "World's Most Advanced Rootkit Penetrates 64-bit Windows". The Register. Retrieved 2010-11-22.
^ http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99
^ http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99

External links[edit]

TDSSKiller - Removal tool by Kaspersky
Virus:Win32/Alureon.A at Microsoft Malware Protection Centre
Backdoor.Tidserv at Symantec
Norman TDSS Remover
TDSS Removal
TDSS: Rootkit techolnogies