TDSS variants
The malware detected by Kaspersky Anti-Virus as TDSS is the most
sophisticated threat today. TDSS uses a range of methods to evade
signature, heuristic, and proactive detection, and uses encryption to
facilitate communication between its bots and the botnet command and
control center. TDSS also has a powerful rootkit component, which allows
it to conceal the presence of any other types of malware in the system.
Its creator calls this program TDL. Since it first appeared in 2008,
malware writers have been perfecting their creation little by little. By
2010, the latest version was TDL-3, which was discussed in depth in an
article published in August 2010.
The creators of TDSS did not sell their program until the end of
2010. In December, when analyzing a TDSS sample, we discovered something
odd: a TDL-3 encrypted disk contained modules of another malicious
program, SHIZ.
![](http://www.securelist.com/en/images/vlill/tdl4_pic01.png)
TDL-3 encrypted disk with SHIZ modules
At that time, a new affiliate program
specializing in search engine redirects had just emerged on the Internet; it belonged to the creators of SHIZ, but used TDL-3.
The changes that had been made to the TDL-3 configuration and the
emergence of a new affiliate marketing program point to the sale of
TDL-3 source code to cybercriminals who had previously been engaged in
the development of SHIZ malware.
Why did the creators of TDL decide to sell source code of the third
version of their program? The fact is that by this time, TDL-4 had
already come out. The cybercriminals most likely considered the changes
in version 4 to be significant enough that they wouldn’t have to worry
about competition from those who bought TDL-3.
In late 2010, Vyacheslav Rusakov wrote a piece on the latest version of the TDSS rootkit focusing on how it works within the operating system.
This article will take a closer look at how TDL-4 communicates with the
network and uploads data to the botnet, which numbered over 4.5 million
infected computers at the time of writing.
Yet another affiliate program
The way in which the new version of TDL works hasn’t changed so much
as how it is spread - via affiliates. As before, affiliate programs
offer a TDL distribution client that checks the version of the operating
system on a victim machine and then downloads TDL-4 to the computer.
![](http://www.securelist.com/en/images/vlill/tdl4_pic02.png)
Affiliates spreading TDL
Affiliates receive between $20 to $200 for every 1,000 installations
of TDL, depending on the location of the victim computer. Affiliates can
use any installation method they choose. Most often, TDL is planted on
adult content sites, bootleg websites, and video and file storage
services.
The changes in TDL-4 affected practically all components of the
malware and its activity on the web to some extent or other. The malware
writers extended the program functionality, changed the algorithm used
to encrypt the communication protocol between bots and the botnet
command and control servers, and attempted to ensure they had access to
infected computers even in cases where the botnet control centers are
shut down. The owners of TDL are essentially trying to create an
‘indestructible’ botnet that is protected against attacks, competitors,
and antivirus companies.
The ‘indestructible’ botnet
Encrypted network connections
One of the key changes in TDL-4 compared to previous versions is an
updated algorithm encrypting the protocol used for communication between
infected computers and botnet command and control servers. The
cybercriminals replaced RC4 with their own encryption algorithm using
XOR swaps and operations. The domain names to which connections are made
and the bsh parameter from the cfg.ini file are used as encryption
keys.
Readers may recall that one of the distinguishing features of malware
from the TDSS family is a configuration file containing descriptions of
the key parameters used by various modules to maintain activity logs
and communications with command and control servers.
Example of configuration file content
Compared to version 3, there are only negligible changes to the
format of the configuration file. The main addition is the bsh
parameter, an identifier which identifies the copy of the malware, and
which is provided by the command and control sever the first time the
bot connects. This identifier acts as one of the encryption keys for
subsequent connections to the command and control server.
Part of the code modified to work with the TDL-4 protocol.
Upon protocol initialization, a swap table is created for the bot’s
outgoing HTTP requests. This table is activated with two keys: the
domain name of the botnet command and control server, and the bsh
parameter. The source request is encrypted and then converted to base64.
Random strings in base64 are prepended and appended to the received
message. Once ready, the request is sent to the server using HTTPS.
The new protocol encryption algorithm for communications between the
botnet control center and infected machines ensures that the botnet will
run smoothly, while protecting infected computers from network traffic
analysis, and blocking attempts of other cybercriminals to take control
of the botnet.
An antivirus of its own
Just like Sinowal,
TDL-4 is a bootkit, which means that it infects the MBR in order to
launch itself, thus ensuring that malicious code will run prior to
operating system start. This is a classic method used by downloaders
which ensures a longer malware lifecycle and makes it less visible to
most security programs.
TDL nimbly hides both itself and the malicious programs that it
downloads from antivirus products. To prevent other malicious programs
not associated with TDL from attracting the attention of users of the
infected machine, TDL-4 can now delete them. Not all of them, of course,
just the most common.
TDSS module code which searches the system registry for other malicious programs
TDSS contains code to remove approximately 20 malicious programs,
including Gbot, ZeuS, Clishmic, Optima, etc. TDSS scans the registry,
searches for specific file names, blacklists the addresses of the
command and control centers of other botnets and prevents victim
machines from contacting them.
This ‘antivirus’ actually helps TDSS; on the one hand, it fights
cybercrime competition, while on the other hand it protects TDSS and
associated malware against undesirable interactions that could be caused
by other malware on the infected machine.
Which malicious programs does TDL-4 itself download? Since the
beginning of this year, the botnet has installed nearly 30 additional
malicious programs, including fake antivirus programs, adware, and the
Pushdo spambot.
![](http://www.securelist.com/en/images/vlill/tdl4_pic06.png)
TDSS downloads
Notably, TDL-4 doesn't delete itself following installation of other
malware, and can at any time use the r.dll module to delete malware it
has downloaded.
Botnet access to the Kad network
One of the most outstanding new features of TDL-4 is the kad.dll module, which allows the TDSS botnet to access the Kad network. So what do the cybercriminals want with a publicly accessible file exchange network?
We have known about botnets controlled via P2P for some time now,
although until now, these were closed protocol connections created by
the cybercriminals themselves. In contrast, TDSS uses a public P2P
network in order to transmit commands to all infected computers in the
botnet. The initial steps of how TDSS makes use of Kad are given below:
- The cybercriminals make a file called ktzerules accessible on the
Kad network. The file is encrypted and contains a list of commands for
TDSS.
- Computers infected with TDSS receive the command to download and install the kad.dll module.
- Once installed, kad.dll downloads the file nodes.dat, which
contains the publicly accessible list of IP addresses of Kad network
servers and clients.
- The kad.dll module then sends a request to the Kad network to search for the ktzerules file.
- Once the ktzerules files has been downloaded and encrypted, kad.dll runs the commands which ktzerules contains.
Encrypted kad.dill updates found on the Kad network
Below is a list of commands from an encrypted ktzerules file.
- SearchCfg – search Kad for a new ktzerules file
- LoadExe – download and run the executable file
- ConfigWrite – write to cfg.ini
- Search – search Kad for a file
- Publish – publish a file on Kad
- Knock – upload a new nodes.dat file to the C&C which
contains a list of Kad server and clients IP addresses, including those
infected with TDSS.
The most interesting command is Knock. This command allows the
cybercriminals to create their own Kad P2P, the clients of which are
exclusively TDSS-infected computers.
![](http://www.securelist.com/en/images/vlill/tdl4_pic08_en.png)
How publicly accessible and closed KAD networks overlap
Essentially, the TDSS botnet kad.dll module is more or less the same
as cmd.dll in terms of control function. By running nodes.dat files
containing a list of IP addresses of Kad clients in addition to
ktzerlrules, which contains a command to download a new nodes.dat file
from cybercriminal servers, the owners of the botnet can both include
their infected computers in the publicly accessible Kad network and
remove them from the network. The publicly accessible Kad network
contains no more than 10 TDSS infected computers. This makes replacing
the ktzerules file as inefficient as possible, which prevents other
cybercriminals from taking control over the botnet. The total number of
TDSS infected computers on the closed network number tens of thousands.
Kad.dll code responsible for sending commands from the TDL-4 cybercriminals
Furthermore, access to Kad makes it possible for the cybercriminals
to download any files to botnet machines and make them accessible to the
P2P users. This includes adult content files and stolen data bases.
The key threat that such a botnet poses is that even when its command
and control centers are shut down, the botnet owners will not lose
control over infected machines. However, the system does face two major
obstacles:
- By using the publicly accessible Kad network, the cybercriminals still run the risk of fake botnet commands.
- When developing the kad.dll module for maintaining communication with the Kad network, code with a GPL license was used — this means that the authors are in violation of a licensing agreement.
Extended functionality
In addition to its known adware function, TDL-4 has added some new
modules to its arsenal. This article has already touched on the
‘antivirus’ function and the P2P module. The owners of TDSS have also
added several other modules to their malware, and now offer services
such as anonymous network access via infected machines and 64-bit
support.
The proxy server module
A file called Socks.dll has been added to TDSS’s svchost.exe; it is
used to establish a proxy server on an infected computer. This module
facilitates the anonymous viewing of Internet resources via infected
machines.
Having control over such a large number of computers with this
function, the cybercriminals have started offering anonymous Internet
access as a service, at a cost of roughly $100 per month. For the sake
of convenience, the cybercriminals have also developed a Firefox add-on
that makes it easy to toggle between proxy servers within the browser.
Firefox add-on for anonymous Internet use via the TDSS botnet
64-bit support
The appearance of a 64-bit malicious driver in TDSS was another
innovation in malware in 2010. In order to support operations with
64-bit systems in user mode, TDL-4 contains a module called cmd64.dll, a
version of cmd.dll for 64-bit systems. However, due to the limitations
of working with 64-bit programs, cmd64.dll code only provides
communication with the botnet command and control servers.
List of botnet command and control center commands
Working with search engines
The cmd.dll module (see
for details) remains almost completely unchanged. This module
facilitates communication with the botnet command and control servers
and substitutes search results, i.e. fraudulently manipulates
advertising systems and search engines. The newest innovation in the
list of commands for TDSS is the SetName command, which assigns a number
to each infected computer. For search engines and banner networks, TDSS
uses the same fake click and traffic technologies as similar malicious programs. However, TDSS has the longest list of search engines for which it substitutes search results.
![](http://www.securelist.com/en/images/vlill/tdl4_pic12.png)
List of search engines supported by TDSS
Botnet command and control servers
When running, TDSS uses several sources to obtain lists of command
and control server addresses. The default list is taken from cmd.dll; if
these addresses are inaccessible, then TDSS gets a list from cfg.ini.
If for some reason no command and control server listed is accessible,
then a list is created from an encrypted file called bckfg.tmp, which
the bot receives from the command and control server on first
connection. Since the beginning of the year, around 60 command and
control centers have been identified across the globe.
Control server address | Server address at the beginning of February | Server address at the beginning of March | Percentage of mentions in C&C lists |
01n02n4cx00.cc | noip | noip | 0,05% |
01n02n4cx00.com | 91.212.226.5 | noip | 0,43% |
01n20n4cx00.com | 91.212.226.5 | 91.193.194.9 | 0,21% |
0imh17agcla.com | 77.79.13.28 | 91.207.192.22 | 0,80% |
10n02n4cx00.com | 194.28.113.20 | 194.28.113.20 | 0,22% |
1il1il1il.com | 91.212.158.72 | 91.212.158.72 | 6,89% |
1l1i16b0.com | 91.193.194.11 | 91.193.194.11 | 0,43% |
34jh7alm94.asia | 205.209.148.232 | noip | 0,03% |
4gat16ag100.com | noip | noip | 2,07% |
4tag16ag100.com | 178.17.164.129 | 91.216.122.250 | 6,69% |
68b6b6b6.com | noip | noip | 0,03% |
69b69b6b96b.com | 91.212.158.75 | noip | 6,89% |
7gaur15eb71.com | 195.234.124.66 | 195.234.124.66 | 6,85% |
7uagr15eb71.com | noip | noip | 2,07% |
86b6b6b6.com | 193.27.232.75 | 193.27.232.75 | 0,14% |
86b6b96b.com | noip | noip | 0,24% |
9669b6b96b.com | 193.27.232.75 | 193.27.232.75 | 0,22% |
cap01tchaa.com | noip | noip | 2,19% |
cap0itchaa.com | noip | noip | 0,58% |
countri1l.com | 91.212.226.6 | 91.212.158.72 | 6,89% |
dg6a51ja813.com | 91.216.122.250 | 93.114.40.221 | 6,85% |
gd6a15ja813.com | 91.212.226.5 | 91.212.226.5 | 2,07% |
i0m71gmak01.com | noip | noip | 0,80% |
ikaturi11.com | 91.212.158.75 | noip | 6,89% |
jna0-0akq8x.com | 77.79.13.28 | 77.79.13.28 | 0,80% |
ka18i7gah10.com | 93.114.40.221 | 93.114.40.221 | 6,85% |
kai817hag10.com | noip | noip | 2,07% |
kangojim1.com | noip | noip | 0,14% |
kangojjm1.com | noip | noip | 0,24% |
kur1k0nona.com | 68.168.212.21 | 68.168.212.21 | 2,19% |
l04undreyk.com | noip | noip | 0,58% |
li1i16b0.com | noip | noip | 0,05% |
lj1i16b0.com | noip | noip | 0,05% |
lkaturi71.com | noip | noip | 0,14% |
lkaturl11.com | 193.27.232.72 | 193.27.232.72 | 0,22% |
lkaturl71.com | 91.212.226.6 | 91.212.158.72 | 7,13% |
lo4undreyk.com | 68.168.212.18 | 93.114.40.221 | 2,19% |
n16fa53.com | 91.193.194.9 | noip | 0,05% |
neywrika.in | noip | noip | 0,14% |
nichtadden.in | noip | noip | 0,02% |
nl6fa53.com | noip | noip | 0,03% |
nyewrika.in | noip | noip | 0,03% |
rukkeianno.com | noip | noip | 0,08% |
rukkeianno.in | noip | noip | 0,08% |
rukkieanno.in | noip | noip | 0,03% |
sh01cilewk.com | 91.212.158.75 | noip | 2,19% |
sho1cilewk.com | noip | noip | 0,58% |
u101mnay2k.com | noip | noip | 2,19% |
u101mnuy2k.com | noip | noip | 0,58% |
xx87lhfda88.com | 91.193.194.8 | noip | 0,21% |
zna61udha01.com | 195.234.124.66 | 195.234.124.66 | 6,85% |
zna81udha01.com | noip | noip | 2,07% |
zz87ihfda88.com | noip | noip | 0,43% |
zz87jhfda88.com | 205.209.148.232 | 205.209.148.233 | 0,05% |
zz87lhfda88.com | noip | noip | 0,22% |
A careful examination of this list reveals that the IP addresses of
command and control centers are constantly changing, while some command
and control centers are phased out altogether. These changes are due to
the use of proxy servers, which hide the true location of the command
and control centers.
Command and control server statistics
Despite the steps taken by cybercriminals to protect the command and
control centers, knowing the protocol TDL-4 uses to communicate with
servers makes it possible to create specially crafted requests and
obtain statistics on the number of infected computers. Kaspersky Lab’s
analysis of the data identified three different MySQL databases located
in Moldova, Lithuania, and the USA, all of which supported used proxy
servers to support the botnet.
According to these databases, in just the first three months of 2011 alone, TDL-4 infected 4,524,488 computers around the world.
Distribution of TDL-4 infected computers by country
Nearly one-third of all infected computers are in the United States.
Going on the prices quoted by affiliate programs, this number of
infected computers in the US is worth $250,000, a sum which presumably
made its way to the creators of TDSS. Remarkably, there are no Russian
users in the statistics. This may be explained by the fact that
affiliate marketing programs do not offer payment for infecting
computers located in Russia.
To be continued…
This heading of this last section has become traditional in our
articles on TDSS. In this case, we have reason to believe that TDSS will
continue to evolve. The fact that TDL-4 code shows active development —
a rootkit for 64-bit systems, the malware running prior to operating
system start launches, the use of exploits from Stuxnet’s arsenal,
P2P technology, its own ‘antivirus’ and a lot more — place TDSS firmly
in the ranks of the most technologically sophisticated, and most complex
to analyze, malware. The botnet, with more than 4.5 million infected
computers, is used by cybercriminals to manipulate adware and search
engines, provide anonymous Internet access, and acts as a launch pad for
other malware.
TDSS and the botnet that unites all the computers it infects will
continue to cause problems for users and IT security professionals
alike. The decentralized, server-less botnet is practically
indestructible, as the Kido epidemic showed.