Transcript
Page 1: The hidden part of TDSS

The hidden part of TDSS

Sergey (k1k) Golovanov, Malware Expert

Global Research and Analysis Team

Kaspersky Lab

Page 2: The hidden part of TDSS
Page 3: The hidden part of TDSS

Content

1. TDSS Overview 2. Reversing TDSS networking3. Analyzing p2p functionality 4. Monitoring active bot5. Getting CnC stats

Page 4: The hidden part of TDSS

TDSS Overview

Page 5: The hidden part of TDSS

Main modules

•MBR infector – bypass drivers digital signatures protection

•x64 rootkit – TDSS works on every modern Windows system

•Clicker – clicks banners and links

•Target on Black SEO – promoting web site via Google, Bing, Altavista and more

Page 6: The hidden part of TDSS

Affiliate Network

• Two Affiliate Networks are spreading TDSS• 20 - 200 USD for 1 000 installs• Affiliates installs TDSS via SPAM, Worms, Exploits and etc.

Page 7: The hidden part of TDSS

Malicious DHCP

Page 8: The hidden part of TDSS

Boot

Page 9: The hidden part of TDSS

Reversing TDSS networking.

Page 10: The hidden part of TDSS

Client to Server

command|noname|30127|0|0.03|0.15|5.1 2600 SP2.0|en-us|iexplore|351|0 and Benchmark(20000000,md5(1))|1614895754

1. Original request

2. RC4 or its modification where Key is the targeted host name

ХЪ7U>tюjЇ\+_Э→/CИY>Kо↓н>4L•xoУч¶@_►F_M!аw♀:Ыp↔d;_fщ☻§ю¶♥0язl

3. BASE64

r1writ0aL0PIWZtL7hntuzRMB3hv0/cUQL4QRrxNIeB3

4EszDdXaN1U+dP5qr1writ0aL0PIWZtL7hntuzRMB3hv0/cUQL4QRrxNIeB3DDr

4. Additional trash

5. HTTPS

Page 11: The hidden part of TDSS

Server to Client

1. Set Name parameter – additional unique key for RC4 or its modification

Page 12: The hidden part of TDSS

ANALYZING P2P FUNCTIONALITY

Page 13: The hidden part of TDSS

Analyzing p2p functionality

KAD.DLL algorithm:

1. Share encrypted file named as “ktzrules”2. Upload kad.dll on TDSS infected PCs3. Kad.dll loads public nodes.dat file with KAD Client/Servers IPs4. Kad.dll searchs for “ktzrules” file in public KAD network5. Kad.dll downloads “ktzrules” and executes commands

Page 14: The hidden part of TDSS

Analyzing p2p functionality

KAD.DLL functions:

1. SearchCfg – find “ktzrules” file with commands

2. LoadExe – Find and download exe file from KAD

3. ConfigWrite – write in configuration file

4. Search – find specified file in KAD

5. Publish – publish specified file

6. Knock – download new nodes.dat file

Public KAD Net

Default nodes.dat.

TDSS KAD Net

Nodes.dat with Clean and Infected users IPs

Page 15: The hidden part of TDSS

Monitoring active bot

Page 16: The hidden part of TDSS

Installs and proxy

Page 17: The hidden part of TDSS

Anti-Virus

•Gbot•ZeuS•Clishmic•Optima

Full list includes ~30 malware families name

Page 18: The hidden part of TDSS

Getting CnC stats

Page 19: The hidden part of TDSS

Getting CnC stats

60 proxy CnCs 3 MySQL DBs

5M infected PCs in 3 months

Page 20: The hidden part of TDSS

Summary

•MBR infector – bypass drivers digital signatures protection•x64 rootkit – TDSS works on every modern Windows system•Clicker – click banners and links•Target on Black SEO – promoting web site via Google, Bing, Altavista and more

•P2P botnet – no servers, no centers, sophisticated crypto protection for command file in hidden KAD network. •Own AV – detects more then 30 malware families •Clients Proxy –additional anonymizer via infected PCs•5 millions infected computers

Page 21: The hidden part of TDSS

http://www.facebook.com/KasperskyConferencehttp://www.kaspersky.com/educational-events

Page 22: The hidden part of TDSS

Kaspersky Lab PowerPoint Template | 12 October 2010

Page 23: The hidden part of TDSS

Thank You

Sergey (k1k) Golovanov, Malware Expert

Global Research and Analysis Team

Kaspersky Lab

Qu35t10n5?


Top Related