TDSS: Silent but Deadly
First seen in 2008, TDSS was known for its ability to exist in systems without being discovered and the challenge it presents in terms of cleanup. The name “TDSS” was derived from a string that was consistently seen in dropped component files and registry entries in earlier variants although this later changed to mere random strings, which added to the difficulty in detecting TDSS samples.
TDSS often serves as a component for other malware, specifically FAKE-AV variants and DNS changers.
Earlier TDSS variants had three main components: a dropper, a rootkit component, and a .DLL file that performs the final payload. These three components served different functions that make up a stealthy and persistent malware operation. Although later variants of this malware were found to be standalone .EXE files, the same routines were executed.
It’s All About Blending In
Upon execution, TDSS drops a .TMP file in the %User Temp% folder. The said file whose file name varies performs the initial installation of all other malicious components.
Installation begins by registering itself as a system service. To do this, the dropped .TMP file copies a legitimate Microsoft Windows .DLL file and modifies it to load the .TMP file. It then exploits a vulnerability on the Microsoft Windows “Known DLLs” list to add the previously modified DLL into the list of .DLL files to be loaded into memory.
Once done, the MSISERVER service1 is restarted to load the modified DLL, thus effectively registering the dropped .TMP file as a system service. Once loaded in memory, the .TMP file creates the file %System%drivers/TDSSserv.sys. The said file will serve as the rootkit component that hides the malicious files and processes.
The TDSS rootkit component hooks functions in the kernel that allows it to hide files, registry entries, and processes. It also terminates certain processes, specifically those related to antivirus programs.
Basically, what TDSS does first is that it makes the system think that the malware is just any other normal process then creates a rootkit component that hides all evidence of it doing so.
Getting Down to Business
Once the rootkit component has been deployed, it drops a .DLL file in the %System% folder. The said file is injected into SVCHOST.EXE, during which it downloads more component files from the Internet.
Downloaded component files include configuration files that contain commands to execute as well as URLs to download more files from. It performs both HTTP GET and HTTP POST requests from and to the URLs and saves any downloaded file in the affected system. The downloaded file contains commands that can be executed by a remote user on the affected system. Some of the said commands are the following:
- Check command version
- Display popup advertisements
- Download other files (other DLL files and updated copy of TDSSserv.sys)
- Load certain modules from downloaded .DLL files
- Prevent programs, mostly antivirus applications, from running on the affected system
- Set command delay
- Upload log files (error logs, list of processes, OS version)
Different content are downloaded from different URLs. Thus, it is possible for the executed commands to differ from one system to another. The nature of executed commands may also depend on what malware is using TDSS as a component.
It’s What’s Under the Roof That Matters
The structured approach of TDSS in performing its routines on an affected system is not the only thing notable about TDSS. It has also been considered problematic by antivirus analysts due to its sophisticated means to evade analysis.
Efforts to evade detection begin as soon as it arrives on the affected system. TDSS arrives as an encrypted file with anti-debugging routines. Through code swinging, the malware uses several call instructions to jump to different locations in order to confuse the analyst while reading the code.
TDSS also hides its code to prevent immediate full analysis. Some variants have been found to have multiple encryption layers, requiring the malware code to be decrypted part by part. This prevents analysts from seeing the entire main algorithm.
In most things, it could take the failure of a single component to shut down a whole system. For TDSS, security analysts consider that component to be the one that keeps them in the dark: the rootkit component. By disabling the rootkit service, all the malicious files, processes, and components are placed into view, making analysis much easier to conduct.