TDSS
Threat risk
|
Detection files published:
2009-01-06 |
Description created:
2010-01-13 |
Description updated:
2010-01-13 |
|
Alias:
TDL3, Alureon |
Spreading mechanism
Webpage | |
|
Payload:
Bot, Hides files on disk, downloads and installs malware | ||
Summary
TDSS is a trojan that has a rootkit component and a bot component. The rootkit is responsible for hiding the trojan's files on disk, and for providing hidden and encrypted storage for the bot component. The bot component connects to remote computers and makes the infected computer part of a botnet. It may download and install additional malware.
TDSS requires special software for removal.
Spreading description
We have observed TDSS being spread mostly through warez and torrent sites offering fake cracks and keygens.
Some Rogue AV families have been observed installing TDSS as an additional payload.
Threat description
TDSS is a stealthy rootkit. It operates by infecting a low level system driver, typically atapi.sys, iastor.sys or vmscsi.sys. It will, much like a virus, overwrite parts of the resource section of the chosen driver with parasitic code that will execute before the host. When the system boots up, this code will load the main rootkit component very early in the booting process.
The different modules are stored encrypted outside the local file system. TDSS implements its own file system located at the last sectors of the hard disk, only accessible to the rootkit itself and its user mode components.
The rootkit hijacks the device object responsible for disk access. Any request to read or write to disk are in this way intercepted. In the case of reading the contents of the infected driver, a clean version will be presented. In this way, the rootkit remains hidden while active.
The userland components stored alongside the rootkit component are injected into a process by the rootkit
when it loads at boot time. In order to provide access to the encrypted file system for these components, the rootkit creates a device object with a random name. The components typically provides bot functionality, and may download and install additional malware.
Removal
Please download and run Norman TDSS Cleaner.
Note that only the latest generation of TDSS (called version 3) is supported by the cleaner at this time.