TDSS Rootkit Trojan

Discussion in 'malware problems & news' started by TheKid7, Apr 6, 2011.

Thread Status:
Not open for further replies.
  1. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,571
    Can a TDSS type Trojan infect the boot sector of a RAID 5 or 6 Array (Motherboard type RAID, not full hardware RAID)?

    I know someone who started having some periodic BSOD's. He decided to scan with Dr.Web Cureit. Cureit detected the following:

    backdoor.Tdss 565 rootkit Trojan

    Cureit said that this Trojan had infected the svchost file. There were no reports of any MBR infections.

    Thanks in Advance.
     
  2. cm1971

    cm1971 Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    727
    Returnil would help against this if you are worried about MBR infections because it locks the MBR from being written to while in virtual mode.
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ TheKid7

    You might like to take a look at the TDL4 thread lotuseclat79 :thumb: posted - https://www.wilderssecurity.com/showthread.php?t=297690

    If you get any more info about the situation, please let us know :thumb:

    Help, maybe ? but not guaranteed :(
     
  4. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Just out of curiosity, do you know what security apps this individual was running when he got infected (realizing, of course, that no matter which program it was, it may not have been up to date with definitions)?
     
  5. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,571
    Norton 360 with latest malware signatures. The Norton 360 software version number is one number less than the current version.
     
  6. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,972
    If you don't mind me asking, did you check the Norton 360 logs and see if Sonar (or whatever the reputation/download guard thingy is) threw an alert and they just allowed it?
     
  7. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,571
    He struggled with the PC for several weeks. He tried different Malware scanners and Antivirus Rescue CD's. He restored an old Acronis Image and still had the problem.

    Yesterday I suggested Comodo Cleaning Essentials to see if anything suspicious shows up. He downloaded and ran Comodo Cleaning Essentials. Comodo told him that it would do a scan on restart. He restarted the PC and kept getting BSOD's. He said that the MBR got knocked out and that maybe Malware did it when Comodo Cleaning Essentials tried to do a boot time scan.

    He has now given up decided to do a major upgrade of the PC. New MOBO, CPU, RAM, PS. The PC was around 7 years old.

    Could a Rootkit knock out the MBR when it detected a boot time scan?

    Thanks in Advance.
     
  8. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    standard procedure for me is always to reset the bootsector and write a new mbr (the disk should be mounted offline for this - either from cd or on another machine).

    The new tdss replaces volsnap.sys (and some may still replace atapi,sys). Mount the drive offline, and have hitmanpro scan the windows\system32\drivers folder (you need to do this from the commandline in order to scan a specific directory). It will usually locate the driver and remove it. You will need to replace volsnap.sys though. I take a copy from another machine, or the installation media.

    That isn't all.. There are a bunch of droppers and updaters usually along with it, but these can be removed through virus scanners, and tools like hijackthis & autoruns. Again, all of this must be done with the disk offline. If you boot into windows, TDSS will conceal itself.

    Finally, you need to clear out the task scheduler when you load back up (unplug the ethernet cable first). There will probably be a bunch of tasks in there, and its possible only the administrator can see them... so make sure you have admin access when you check it.

    TDSS sort of takes the kitchen sink approach... and unless you get it all, it will find a way to maintain the infection..
     
  9. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    would not that be easier to just zero/nuke the hard drive?
     
  10. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    Yes and no. That is always the surefire solution to problems like these.. Sometimes though, wiping the computer will require hours of work if you have a lot of software you need to install, and files you need to backup.

    A lot of the stuff I mentioned takes under a minute - the hitman pro scan of the drivers folder, clearing the task scheduler, and restoring the boot sector and MBR are really quick.

    For cleaning out the auto-running crap, I usually just restore older versions of the registry from snapshots in the System Restore. Most of the time, these are untouched... When you restore the main registry, along with the ntuser.dat and Usrclass.dat, you pretty much remove any registry based startups... and this takes under five minutes. You can verify removal of startup entries with hijackthis.

    I usually run a virus scan (typically with two scanners) of the Windows folder, profile folders, and program files folder then... but this is typically redundant. Without any way to load at startup, any malicious programs are typically inert.

    The virus scans might take an hour, but you don't usually have to be there... Overall, its not as bad as it seems...
     
  11. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tnx m8!

    one could always restore an image after nuking the drive.
    it would seem easier for a noob, such as me, to just nuke it and re-image. ;)

    i've never tried nuking/zero a drive so i don't know how long THAT would take.

    but anyway,
    tnx again for taking the time. :)
     
  12. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    No problem... but you are definitely correct in the fact that this is probably the correct way to do it. When you "clean" you risk leaving malware on the system (and compromising security).

    Restoring an image (if you have one) is probably the easiest way to get back up and running again... and its the most secure. Unfortunately, most people don't make images, and its hard to keep them recent unless you have a good system of doing it.. but then again most people aren't up to performing a proper cleaning either.

    Personally, I often run into the predicament of having to clean other people's computer - either for money or for free (damn inlaws). In either situation, its usually best to take the faster way, which is often cleaning for me. When I have a customer, they usually don't want to pay for 3-4 hours of labor (I try to get things done in an hour). That doesn't leave time for a backup of 30 gigs of mp3's and videos. Then, when I'm doing it for free, I usually want to be doing something else. Definitely doing things the quick way.
     
    Last edited: May 5, 2011
  13. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    I prefer just reformatting LOL (Personal preference, yes it does takes time but it brings the most awesome results)
    But i only do it on my PC's, on friend or relatives i try to do a cleaning job because it would be a pain to ask . . . which files you want t backup? you want to keep this? and that? HAHAHAHA :D
     
  14. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,571
    I have done a "zero write" to a 2 TB SATA hard drive. From my memory, the "zero write" operation took around 16 to 20 hours.
     
  15. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    Wow!
    thanks for the info.:thumb:

    seems like it would be a good idea to do while you sleep for smaller drives.

    tnx to everyone as well for the infos.
    much appreciated! :thumb:
     
    Last edited: May 5, 2011
  16. zero_Phil

    zero_Phil Registered Member

    Joined:
    Apr 22, 2011
    Posts:
    67
    A very handy little app is TDSSKiller from Kaspersky (it is free) - if it finds any nasties it nukes 'em then you reboot your machine and you are good to go, I run it every few days as a precaution.
     
  17. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    TDSSKiller has worked well for me in the past, but its worth mentioning that one of the newer variants of TDSS hides itself from TDSSKiller (latest version)...
     
  18. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,571
    Has anyone tried out the new Avast aswMBR scanner? How does it compare to TDSSKiller?

    https://www.wilderssecurity.com/showthread.php?t=298495

    Would it be better to rename the aswMBR scanner and the TDSSKiller scanner exe files prior to use to confuse malware that may have blocked those file names from execution?

    Is it is always better to run these MBR type scanners in Safe Mode?

    Thanks in Advance.
     
  19. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    A Secure Erase on that drive would take around 10 hours.
     
  20. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    I don't think either of those techniques would really work with TDSS. It doesn't prevent specific file names from launching... and its methods for hiding itself apply to everything. I believe some of the latest varients mask the memory space it uses, and it also masks its presence in the file system. Its hiding isn't specific to certain file names, it hides from everything (including the OS itself).

    Safe mode also probably won't have an effect either because
    1) The first loader is activated from the MBR, and initialized very early in the boot process.
    and
    2) The TDSS authors make sure to use drivers that are loaded in safe mode. For instance, they've used atapi.sys and volsnap.sys.. and these drivers are always loaded. Once they are loaded, TDSS has full control..
     
  21. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    And after this, you decided to always, always make (a) separate OS partition(s)? ;)
     
  22. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    What's the point of nuking it? Just restore the image, and you done in far less time.
     
  23. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tnx JL. :)

    i was not sure if restoring an image replaced the MBR and Track0.
    i am still learning this stuff. :)
     
  24. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Most disk imaging programs backup that as well. If not, almost all have tools that can reset the MBR.
     
  25. ramirez1

    ramirez1 Registered Member

    Joined:
    Sep 15, 2010
    Posts:
    30
    So PC was infected with backdoor.tdss.565 and not matter which program I used it still came back.

    I used Avast aswMBR and it was the only one to get rid of it

    Logs:


    After rebooting I ran a scan again:

    PC is running fine now
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.