2010-05-01
Abstract
The TDSS/TDL rootkit is the cause of many a headache for anti-virus vendors. Here, Alisa Shevchenko presents a report and analysis of statistics collected from the users of a TDSS removal tool during the first quarter of 2010.
Copyright © 2010 Virus Bulletin
Our first article about the TDSS malware was published a year ago [1]. A relatively minor threat back then, today TDSS/TDL is a widely discussed topic in the security industry, and the cause of many a headache for anti-virus vendors. Moreover, the rootkit’s functionality has changed significantly during the year.
More than six months have passed since we released the TDSS Remover and disclosed its architecture [2]. Since then, some anti-virus vendors have also released dedicated TDSS removal tools. Among them are TDSSKiller from Kaspersky Lab and TDSS Cleaner from Norman.
The following article presents a report and a basic analysis of statistics collected from the users of TDSS Remover during the first quarter of 2010. (Note that, for users, the sending of information to us is optional, thus the data presented here may not be complete.)
Figure 1 shows the overall usage of the TDSS Remover (i.e. the approximate number of tool runs each day) between January and March 2010.
There are some notable peaks and slumps on the graph, which correspond to some major TDSS-related events:
The peak around 16 February reflects an increase in use of the tool due to the release of the MS10-015 update. The update caused a blue screen on all TDSS-infected systems [3], thus making users aware of the infection.
The slump after 28 February can be explained by the following:
An upgrade (TDL3.27) was applied to the rootkit’s engine around 25 February, which rendered all existing removal tools (including TDSS Remover) useless.
Because of the issue with MS10-015, a considerable part of the TDL botnet was destroyed.
The blank period from 6 to 13 March was due to a technical issue with data gathering.
An update to TDSS Remover (enabling it to remove TDL3.27) was released on 7 March, and the data-gathering issue was fixed, so all the data beyond 7 March is accurate.
Figure 2 shows the distribution of TDSS Remover by country, thus it also gives an approximate idea of the distribution of TDSS malware.
However, the statistics presented on this chart should be treated with caution, because some of the underlying data may reflect marketing trends rather than actual malware prevalence. Specifically:
Russia (RU) is prevalent and Ukraine (UA) has a notable representation on the chart because we are based in Russia and have a dedicated Russian website.
The Netherlands (NL) is prevalent and Belgium (BE) has a notable representation because the tool has appeared in the local news in these areas.
Thus the plot shares for Russia, Ukraine, The Netherlands and Belgium can be assumed, in reality, to be somewhat smaller than shown in Figure 2.
To summarize, we believe that TDSS infection is most prevalent in the United States, followed by Russia, a number of European countries including Great Britain, France, The Netherlands and Belgium, followed by Canada, Germany and Australia.
Figure 3 shows the distribution of different file types and the names of malicious executable files.
Since the release of TDL3 at the end of 2009, which infects system drivers, the rootkit no longer stores its payload in dynamic libraries. Thus, the 28% share of dlls on the chart represents older versions of TDSS which are still active.
Executable files (.exe) are actually custom malware with rootkit functionality, such as Magania, Kido, ZAccess and a number of Bankers. The TDSS rootkit itself does not utilize any .exe files.
A single .com file plus an insignificant number of autorun.inf files represent a very early version of TDSS which attempted to spread by infecting removable drives.
System driver files are prevalent on the chart because they are the core of all versions of the TDSS rootkit. Among the malicious .sys files, the most common are the original Microsoft drivers atapi.sys and iastor.sys, which are infected by TDL3. From these statistics we can see that users with IDE drives (i.e. those whose atapi.sys is infected) prevail significantly over users with other drive types (i.e. whose iastor.sys file is infected).
Random driver files are generated by an old version of TDSS which does not infect system driver files, and which is payloaded by a number of complementary dlls. The ratio of dll files to randomly named driver files (28%:12%) can be explained because, on average, one driver file is accompanied by three dll files on the same infected machine.
Other names of system drivers represent various infected miniport drivers.
Figure 4 shows a distribution chart of the anti-virus programs that were installed on users’ systems when they had an active TDSS infection.
We did not deliberately set out to collect statistics on anti-virus software, but because some security products block their files from being read (and thus trigger the anomaly-based detection mechanism of TDSS Remover), the files appeared in our reports.
The total percentage of anti-virus-equipped systems among all reported cases is 12%, including less than 1% of clean reports.
Kaspersky products were identified mostly by fidbox*.* files, which are data-indexing storage files. They were also identified by encrypted executable files named klick.dat and klin.dat, and also by kernel drivers kl1.sys and klif.sys.
avast! is notable for almost a dozen .sys files, all of which are blocked from being read and appear in the TDSS Remover’s output.
Dr.Web has a single blocked file: dwprot.sys.
Agnitum Outpost has three blocked files: afw.sys, afwcore.sys and sandbox.sys.
McAfee was identified by the encryption provider driver derived from SafeBoot.
Notes:
An anti-virus solution may fail to detect a particular piece of malware due to outdated signature databases (the user’s fault for not applying the recommended updates regularly). However, detection should not be a problem for an anti-virus product with good heuristics.
An anti-virus solution that failed to remove the malware will not appear in our statistics unless it implements any rootkit-like features.
In the wild, two TDSS modifications are active: the old TDL2, which features payload dlls and randomly named files and which does not infect system drivers, and the new TDL3, which infects the system disk drivers atapi.sys and iastor.sys. The latter prevails significantly.
Other known TDSS modifications are seen rarely, if ever, in the wild. Among them are the ancient TDSS version with fixed filenames, the old version which is distributed via removable drives, and the minor TDL3 version which infects miniport drivers.
TDSS infection is most common in the United States, Russia and parts of Europe.
[1] Shevchenko, A. Case study: the Tdss rootkit. Virus Bulletin, May 2009, p.10. http://www.virusbtn.com/pdf/magazine/2009/200905.pdf.
[2] Shevchenko, A.; Oleksiuk, D. Everybody lies: reaching after the truth while searching for rootkits. Virus Bulletin, August 2009, p.6. http://www.virusbtn.com/pdf/magazine/2009/200908.pdf.
[3] The Microsoft Security Response Center. Update – Restart Issues After Installing MS10-015. http://blogs.technet.com/msrc/archive/2010/02/12/update-restart-issues-after-installing-ms10-015.aspx.
