TDSS/SafeSys Exploits in the Wild

Discussion in 'malware problems & news' started by Rmus, Jul 3, 2010.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    A lot has been discussed in the "sandboxing & virtualization" forum about this class of malware and how various products respond when the malware is executed directly on the computer.

    But very little mentioned about how people get infected with this malware in the real world.

    In the past few years, in posts both here at Wilders and on other forums where the writer states she/he has been infected, I've asked (mostly by PM) how the infection took place, and I've never received a response.

    With a resurging interest in this class of malware, I've revisited the attack vector scenarios, and have put them into two catetories. I'm hoping members can add to the list.

    (We'll omit a perpetrator gaining physical access to the computer, which was how Robot Dog was used in internet cafes in Asia, where users gained control over the computer)

    The first category is where people install something, not knowing that is infected with the malware. Here is one example:

    Tdss rootkit silently owns the net
    http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html
    Please post other such reports.

    In looking at Hijack Forums, my observation from what people say is that the above scenario includes the largest group of those infected.

    Of particular interest:

    1) do you know of files infected with TDSS/SafeSys on web sites other than those types mentioned above?

    2) If you have first hand information about someone being infected and you know the particulars, you can describe it (without any personal references to the people).

    ___________________________________________________________________________​

    The second category is the remote code execution type, aka, drive-by download. One example:

    Fragus Exploit Kit - TDSS Rootkit
    http://stopmalvertising.com/malware-reports/fragus-exploit-kit-tdss-rootkit
    Of particular interest:

    1) Most of these attacks are redirection attacks leading to a site hosted by a cybercriminal, which serves up the malware executable. Does anyone know of reported drive-by attacks where the malware executable was hosted directly on a legitimate compromised site?

    2) Does anyone know of reported USB attacks with this type of malware as the executable payload?

    3) Does anyone have first hand knowledge of someone victimized by a remote code execution attack that served up this type of malware.

    ___________________________________________________________________________​

    I'm curious what others come up with. So far, I've seen nothing in the attack vectors any different than those serving up any other trojan executable.

    I'm requesting that people refrain from mentioning any products. Please use the other existing threads for that.

    I'm interested only in how the malware is initially delivered to the computer.

    In the next post, I'm going to start a list with the two examples I have here, which I'll update as others post.

    thanks,

    rich
     
    Last edited: Jul 4, 2010
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    List of reports about web sites hosting files infected with TDSS/SafeSys and the like; usually downloading sites.
    Also any first hand knowledge of such sites:


    _______________________________________________________________________________________________​


    List of reports about remote code execution exploits hosting payloads with TDSS/SafeSys and the like.
    Also, first hand knowledge of victims of such exploits.

     
    Last edited: Jul 4, 2010
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hope people contribute to the thread :thumb:

    I do ;) Here's just a few. Some were live at some point, others still are, others live but cleaned up.

    con1.gif

    con2.gif

    con3.gif

    mdl.gif

    pt.gif

    Next post
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    warn.gif

    sgr.gif

    sgr-perm.gif

    Got those from MDL, there were more i trawled etc, but i'm limiting my screenies/posts etc to those. Takes a lot of time :(

    Anyway here's a couple of samples, literally, i was able to get today whilst researching this.

    tdss.gif

    us.exe = TDSS/Alureon = Result: 4/41

    dogma.exe = TDSS/Alureon = Result: 27/41


    I was also amazed to discover that lots of www's listed on MDL from as far back as several months, are STILL serving nasties. Not only that, but when i DL'd and uploaded to VT, certain AV's etc are still NOT detecting the above, and Others :eek:
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks, CloneRanger for those. I'll make one entry for sites obtained from MalwareDomainLists (MDLs). At any time, as you point out, URLs may or may not be still working.


    URLs on MDLs are usually the final stop in a remote code execution exploit, that is, the site to which the user has been redirected.

    MDLs are good for obtaining malware samples, for those interested in that. But they don't usually indicate how the exploit started-- that is, the original site with the redirection code, as in the example I gave in the first post.

    It would be very interesting to find a legitimate site that had been compromised, and hosted the malware there instead of on a redirected site.

    Very noticeable on MDLs is the use of Exploit Kits, where various exploits target different vulnerabilities. Different browsers will trigger different exploits, but the same TDSS rootkit is the payload in the exploits.

    The customavatars site: is that a download site? It kept redirecting, so I don't know what the exploit is!


    ----
    rich
     
    Last edited: Jul 4, 2010
  6. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Rmus, a lot of relevant and useful information here intending to group TDL/TDSS information, carried on here when that thread was closed due to trolls (now re-opened.)

    edit : kernelmodedotinfo seems down atm.
     
    Last edited: Jul 4, 2010
  7. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    A lot of malware gets pushed at sharing sites as they are popular and TDL/TDSS is no exception. The difference with TDL is that its hard to detect and with hourly rebuilds further fooling antivirus obviously there are a lot of casualties.

    If you know what to look for you can usually spot them easily. First time posters with 'new/2010' tags and interesting and sort after software is usually the norm.

    For example here's a screenie of an adult online tv player install, again popular subject, first time poster with come get me tags. At the time 3/41 avs at VirusTotal detected something suspicious. Its only when you extract the files from setup.exe you see the bundled TDL3 as well. Installing the online adult tv player means what is bundled in gets installed as well.

    Disclaimer, visits to these sort of download sites are for research purposes.

    yellow = initial download
    red = extracted files, bundled TDL3
     

    Attached Files:

    Last edited: Jul 4, 2010
  8. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Online Advance Virus Remover page that once finished a quick scan offered a download (just TDL3) to cure the 'infections'
     

    Attached Files:

  9. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Dedicated keygen/crack and serial sites. When I investigated further the page in the screenie all the links in the yellow box are all associated with each other. Doesn't matter which keygen, crack or serial you choose from the links or in the red box they were all TDL3.
     

    Attached Files:

    Last edited: Jul 4, 2010
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Originally Posted by Rmus

    That's what i was hoping to show, but obviously failed :(
    Agreed, i'll keep looking ;)

    I think it's been cleaned up now.

    @Meriadoc

    Yeah i got one of those gooky yellow = initial download files caught by Avira yesterday when doing my previous posts, but didn't include it at the time.

    hf.gif

    ppi2.gif

    ppi2.exe = TDSS - VT today Result: 35/41
     
  11. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Codec's and fake adobe flash player downloads.

    edit : CloneRanger:thumb: I know where you've been :)
     

    Attached Files:

    Last edited: Jul 4, 2010
  12. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Liberty exploit kit, SpyEye, Crimepack...there is a lot of these btw I have a few kits for analysis.

    SpyEye (I have the whole kit - builder, control panels and form grabber) can be used just like Fragus in the first post.

    v1.0.7 below added Kill Zeus option (malware killing malware) and grab basic-authorization, v1.0.8 added webinjects and now uses an all in one as opposed to a dropper. Gleaned payload, malware = Vundo/TDSS rootkit Packed.Win32.TDSS.aa.

    MD5 : 6a1bd54535f6b43a54ef2c13cf4180b4

    Exploit kits are typically for sale between $500-$2000 and customers can end up paying 4 times that amount or more over a series, updates and separates.
     

    Attached Files:

    Last edited: Jul 5, 2010
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks much, Meriadoc for your great examples with screenshots. I've added them to my list in Post #2.

    ----
    rich
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Serial www's are rife with malware, and have been for years. I'm amazed the word hasn't got round between DL'ers by now :D

    Found a newish TDSS fairly easily today on one such www

    frees.gif

    get.gif

    kg.gif

    keygen.exe = Win32/TDSS = Result: 7/41

    Unpacked the Rar and it came with code68703.txt No password in there, or needed.

    *

    Also on a seemingly innocent looking www people searching for Photofiltre could quite easily land on here

    pf.gif

    Very similar http to a legit www

    soft.gif

    View attachment 219625

    pfs-setup-en.exe = Backdoor.Win32.Yobdam = Result: 3/41

    I DL'd the real PF PhotoFiltre.exe from http://photofiltre.free.fr/download_en.htm file size = 2.69 MB The one above pfs-setup-en.exe file size = 5.18 MB

    Might be FP though ? But the www doesn't appear pro ?


    @Meriadoc

    You mean

    View attachment 219626

    type www's ? Actually only that one i showed earler !
     
    Last edited: Jul 4, 2010
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks, I added that to the list.

    Would this be a good example showing

    1) why people should download only from vendor's official site?

    (Then the question becomes, How does the user determine which is the official site?)

    2) why people should verify from other users before installing something?

    ----
    rich
     
  16. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Rmus

    :thumb:

    I think so :thumb: and/or from somewhere like cnet.com etc etc. That's why i posted it, to illustrate the dangers.

    Good question. I would suggest they use a search engine and look at, not just the first hits, but say at least 10 of them to compare and cross reference. Also i believe it would be as well to do a whois against the results. Not everybody will know how to, or interprete the results, or even be aware that such a service exits, and for free. But they could be shown, IF they are willing to learn ? Plus after that, they could upload the file to VT etc, even if their AV etc has/not detected anything.

    If it's possible yes, though it might always be, if they don't know anyone who has, or don't know where to ask :(
     
  17. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Yes this is the same site as from my post above - keygen, crack and serials they have sites for them all. Downloads are all TDL3.
    Its a business, once the new build comes out the sites are updated.
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks, Meriadoc, I've added SpyEye to the list. Very nice description of how the Kit works.

    Exploit kits are now well-represented, so we don't need others. We know that most are now including TDSS rootkits in their payloads.

    I'm hoping to find actual exploits to see what types of legitimate sites are being used to redirect to the malicious site that hosts the Exploit Kit.

    Unfortunately, most reports about TDSS just sensationalize the final result of the damage the malware does. While that type of sensational news generates lots of hits for the news sites, it does nothing to help the user to understand the attack. Knowing where the exploit originates gives information that helps determine how to prevent the exploit from running on the system.

    For example, in the Fragus Exploit analysis I cited earlier,

    Fragus Exploit Kit - TDSS Rootkit
    http://stopmalvertising.com/malware-reports/fragus-exploit-kit-tdss-rootkit

    we learn:

    1. A legitimate Wordpress blog was compromised with a script that redirected to a malicious site.

    2. That site used javascript to launch the exploit kit, looking for vulnerabilities.

    We can conclude that

    1. If the user had scripting disabled for his Wordpress blog, he would not be redirected. End of exploit and no TDSS infection

    2. If the user had scripting White Listed for his Wordpress blog, he would be redirected.

    3. If the user had scripting White Listed, the script on page to which he was redirected would not run. End of exploit and no TDSS infection.

    4. If the user had scripting enabled globally, he would be redirected and the exploit would attempt to find vulnerabilities in the browser/plugins/OS. Whether or not an infection occurred would depend on factors, such as

      • whether or not the user had unpatched plugins or OS vulnerabilities

      • whether or not the user had protection against the execution of unauthorized executables.

    ----
    rich
     
    Last edited: Jul 4, 2010
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    At the risk of raising Rmus's wrath :eek:

    Here's some background info on Exploit kits, SpyEye and TDSS, which i hope will be of interest.

    *

    SpyEye Bot. Analysis of a new alternative scenario crimeware


    spyeye.gif

    SpyEye Bot (Part two). Conversations with the creator of crimeware


    spyeye2.gif

    http://www.malwareint.com/docs.html

    Managed to grab 2 SpyEye test files on my travels ;)

    spyeye3.gif

    *

    State of art in Eleonore Exploit pack


    el.png

    -

    Related information

    http://malwareint.blogspot.com/2010/01/state-of-art-in-eleonore-exploit-pack.html

    *

    Here's some info i wasn't aware of, about a DLL vulnerability TDSS takes advantage of.

    *

    TDSS: Silent but Deadly

    More http://threatinfo.trendmicro.com/vinfo/articles/securityarticles.asp?xmlfile=111209-TDSS.xml
     
  20. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Meriadoc

    Indeed it would seem so, sorry didn't realise it was when i posted ! Anyway now it's visable, and i provided extra info ;)

    And a Very lucrative one at that :( Fancy crossing over to the dark side ? :D
     
  21. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Don't even have to think about it :) - Never!
     
  22. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    I've managed to obtain various Bot kits and played with this crap. With regular updates, the various plug-ins, separates and protection features they can be quit sophisticated.

    edit: exploit kit spelling.
     

    Attached Files:

    Last edited: Jul 5, 2010
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, the Exploit Kits are very much in use these days.

    There doesn't seem to be anything else to add to the attack vectors, so I'll summarize my conclusions about the threat of TDSS in exploits.

    1) It's just another trojan and can be prevented from infecting as one would prevent any similar trojan.

    2) The remote code execution exploits are the easiest to prevent because

    • Controlling scripting stops the exploit from running in the first place in almost all of the redirection attacks

    • Execution prevention blocks the payload executable from running, should the exploit get that far.
    3) The social engineering exploits are the most difficult to prevent because of the lure of free and pirated software. Again, there is nothing new here.

    From a blog in 2008:

    http://www.prevx.com/blog/109/The-goal-of-antimalware-products.html
    December 16th, 2008
    Posted by: Marco Giuliani
    I'm still interested to know if the TDSS rootkit is bundled with software on more "legitimate" sites. Someone told me of one on a children's site, but could not provide the example. I've not found any such reference elsewhere.

    Thanks to CloneRanger and Meriadoc for their examples and screenshots.

    regards,

    rich
     
  24. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    I had a user last week who got it from a Google search link. She was looking for news about the The Bachelorette TV show and the next thing she knew, BAM! All of a sudden I get a phone call from her to clean it up. We went back into Google, I tried to narrow it down to the exact link, but we couldn’t find it. Thankfully she notified me quickly and the fix was easy.
     
  25. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Do my eyes deceive me or is that a decade-old NT 4 vulnerability that's been patched since practically forever? :eek: What is that doing in there? :D If it's an attempt to set up the service without HIPS products noticing, I guess it's pretty original...


    On the social engineering subject, I ran into a bunch of cracked software installers with TDSS thrown in for good measure. The installers actually do work and install what they promise, but along comes also a free rootkit surprise. Lots of stuff: Winamp, Winrar, Photoshop, that sort of thing. Pirates beware.
     
Loading...
Thread Status:
Not open for further replies.