The Tale of my Battle with TDSS

Discussion in 'malware problems & news' started by Brandonn2010, Dec 1, 2012.

Thread Status:
Not open for further replies.
  1. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    I just spent the last 4 or more hours getting rid of a TDSS infection, so I feel the need to detail what went on.

    It began by my Mom telling me some family friend's needed help with their computers again (I had upgraded their laptop to Windows 7). Their wireless printer wasn't printing documents.

    I went to their home, and solved the problem in about 10 minutes. They had got a new router and their printer's IP was different than what the PC though it was, so setting the new IP address fixed it, as well as switching to a different network they had.

    Their son's laptop had the same problem, but the fix required removing and re-adding the printer. However, since he is a high-risk user, I asked them if I could scan his PC. I did with HitmanPro. It found about 11 entries for ZeroAcess. At that point I thought, "Oh crap."

    I decided to get a second opinion from TDSSKiller. It found similar infections. I chose to remove them. While I was, McAfee popped up an alert about Desktop.ini in the GAC_32 and GAC_64 directories. I figured the malware would just regenerate.

    I removed the infections with TDSSKiller, but it failed to cure services.exe. I restarted and let McAfee have a go at the Desktop.ini malwares. After rebooting, the same alert occurred, which meant the malware was regenerating.

    I decided to use my Kaspersky Rescue CD on my USB drive. However, it had some error and failed to boot! My silver bullet had failed when I needed it most. I again ran TDSSKiller, it removed the same files, and still failed to cure services.exe.

    At this point I decided to use KillSwitch, and disable services.exe. I also opened the folder and renamed it to servicesvirus.exe, so it would not run. I had done this with a fake AV on my Mom's laptop, and it had crippled the malware and interrupted its regeneration. However, I wasn't aware this services.exe was the actual services.exe, not a pure malware file.

    This resulted in the computer having lots of errors. I rebooted it, and got the startup repair screen. I did it, and it just went back to the startup repair screen. Because of this I booted to a Windows recovery CD on my USB drive. I attempted startup repair, but it failed. I though maybe the TDSS thing had infected the MBR, so I did FixMBR and FixBoot. That was a horrible mistake. I rebooted, and the computer failed to boot saying it couldn't find an OS or something.

    Feeling very worried I had bricked their PC, I went home and made an actual CD repair CD from a good PC. I brought the CD back, and attempted startup repair from the CD. It worked. I rebooted and was back to the startup repair loop. Realizing at this point the services.exe file was necessary and not pure malware, I booted into Ubuntu and renamed it. After rebooting again, I could get into Windows. Success.

    I Googled how to replace the services.exe file. I ran TDSSKiller again, with the scan loaded modules option selected. I ran a scan, removed what it found, and it failed to cure services.exe. However, I ran sfc /scanfile=c:\windows\system32\services.exe.

    Windows detected the corrupt file, and upon reboot replaced it. I ran the command again, and no corruption was found! With the services.exe file fixed, I replaced McAfee with Norton and ran another scan with HitmanPro, to verify there was no malware. Unfortunately, almost everything was still there, except for the infected services.exe. I decided to activate the free trial for HMP and let it remove the infections. It did, and after rebooting, I ran another scan, this time all clean!

    From this experience I have learned:

    1. The TDSS infection is a tricky bastard.
    2. USB Windows repair discs are rubbish.
    3. Do not rename files to try and deactivate them, as they may actually be infected files and not pure malware.
     
  2. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    499
    Location:
    Nottingham
    It would have been very interesting to see if MBAR could have dealt with this, shame, we ill never know :D
    Also be careful with system restore, I believe 0access sets its own restore point and deletes all previous ones
     
  3. tipo

    tipo Registered Member

    Joined:
    Dec 29, 2008
    Posts:
    408
    Location:
    romania
    you should`ve used dr web cureit! too. it`s a nice piece of software adding great value to a computer techie.;)
    EDIT: have you ever used hiren`s boot cd? i did and it works great! an entire arsenal of pc repair utilities and free and legit.(as far as i know)
    here`s the link: http://www.hiren.info/
    MODS please remove the link if i`m doing something wrong! thanks!
     
  4. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    499
    Location:
    Nottingham
    I'm sorry but i disagree. I have used Drweb on a 0acees infected machine, it did nothing ( even the live cd )
    There are very few tools that work with these type of rootkits. combofix can replace the sevices.exe with another copy, and tdsskiller can cure infected system files. As far as I know, thats it, which is why i would have liked to see how MBAR fared
     
  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Why did you decide to activate HMP trial only at the end? It might have saved you a lot of trouble. From the release notes:
    They update HMP frequently to detect and remove new tough infections, usually earlier than other vendors :)
     
  6. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    What was the version of the Dr.Web Products that were used? Was the DrWeb CureIt a Beta or non-Beta version?

    Also, was the DrWeb Live CD the latest version (November 1, 2012 or later)? The latest Dr.Web Live CD/Live USB version has scanning for rootkits. The previous version did not have scanning for rootkits.

    https://www.wilderssecurity.com/showthread.php?t=335163
     
  7. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    499
    Location:
    Nottingham
    Sorry i have no idea, definitely before Nov. ( 6+ months ago )
    Lots of tools claim to do lots of things. The two who ' have ' been working for much longer are combofix and Tdsskiller. These seem to be the tools used on malware removal forums.:)
     
  8. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Hahahahaha good story.
    What the heck was his son doing with so many infections . . . Sounds like my buddy from high school that always had hundreds of viruses. :eek:
     
  9. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I thought that I read somewhere that some rootkits can store information (files, logs, etc.) in hard drives sectors that show up as unused space to Windows. I also seem to remember it being reported that a rootkit would 'kill' Eraser when the option to wipe unused disk space was selected. Could the file regeneration be from these hidden sectors? Are there any bootable utilities that can wipe unused space without wiping the Windows System Partition and MBR?
     
  10. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    I've got a question about TDSS. What exactly does it do? It seems every site I check has different answers. Some say it steals info, others that it serves up fake AVs, others the ransom malware, others redirects searches, yet his was completely silent.
     
  11. AFAIK it doesn't actually do any of those, only serves to hide and protect a payload that does one or more of those things. That's pretty much the definition of a rootkit.
     
  12. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    Hmm. I don't think there was any malware detected that wasn't ZeroAccess, so maybe it had no payload. Hopefully it wasn't a backdoor because he does do some financial stuff on his laptop.
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Never trust any of these software for disinfection and repair. The software that works today might just fail tomorrow. It takes a lot of time, effort and is pretty stressful with such nasty infections. It,s very likely that all your common tools will fail.

    I prefer an ISR( not in case of TDSS of course), image restore or a fresh reinstall of an OS.
     
  14. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    I always formatted my friends PC, it's not worth trying to cure or fix a screwed up OS. :D
     
  15. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I also prefer an ISR. An ISR is always the best solution.
     
  16. Until someone whips out a kernel vulnerability!
     
  17. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    Alas, the laptop didn't come with a Windows disc, and I believe most newer PCs don't either. Plus, that would require much more time and work, and that hadn't even been the thing I went there to fix. I just happened to find the laptop was infected because I had guessed it was.
     
  18. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    With such bad infections, after having cleaned the worst and saved important data always best to fully reformat and start clean especially if the system is used for banking/shopping/etc. Better safe than sorry. ;)
     
  19. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I would wipe (zero write to all sectors) followed by a format and OS reinstall.
     
  20. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    If you are going to try to clean a rootkit infection, it would be a good idea to use GParted or another bootable partition management utility to check for and delete any partition which may have been added by the rootkit.

    -http://www.youtube.com/watch?v=-JJjdJ4z5CE
     
  21. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Don't forget reflashing the BIOS and maybe other firmware. Who knows how infected it could be.
     
  22. How would zeroing the disk help? I suppose a trojan bootloader might look for malicious code on a certain location on the disk, without the filesystem's help, but in that case I'd think that wiping the MBR woud suffice. Sure, there'd still be (unlinked) malicious code lying around on your disk, but nothing would be calling it.

    Or so I would tend to think?
     
  23. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
  24. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
  25. Keatah

    Keatah Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    853
    I would never spend this amount of time removing malware, especially if a backup image is available. Which it should be.

    I make sure all of my customers have a recent disk image, and are aware of where they store their data.

    If a malware attack happens, the first thing I recommend is to boot into a linux disk to grab the important customer data files. Then do an image restore. Then put back the customer data.

    This is a time-honored method that works. Nuking it from orbit is the only way to be sure!
     
Loading...
Thread Status:
Not open for further replies.