the hidden part of tdss
DESCRIPTION
The hidden part of TDSS. Sergey (k1k) Golovanov, Malware Expert Global Research and Analysis Team Kaspersky Lab. Content. TDSS Overview Reversing TDSS networking Analyzing p2p functionality Monitoring active bot Getting CnC stats. TDSS Overview . Main modules. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/1.jpg)
The hidden part of TDSS
Sergey (k1k) Golovanov, Malware Expert
Global Research and Analysis Team
Kaspersky Lab
![Page 2: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/2.jpg)
![Page 3: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/3.jpg)
Content
1. TDSS Overview 2. Reversing TDSS networking3. Analyzing p2p functionality 4. Monitoring active bot5. Getting CnC stats
![Page 4: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/4.jpg)
TDSS Overview
![Page 5: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/5.jpg)
Main modules
•MBR infector – bypass drivers digital signatures protection
•x64 rootkit – TDSS works on every modern Windows system
•Clicker – clicks banners and links
•Target on Black SEO – promoting web site via Google, Bing, Altavista and more
![Page 6: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/6.jpg)
Affiliate Network
• Two Affiliate Networks are spreading TDSS• 20 - 200 USD for 1 000 installs• Affiliates installs TDSS via SPAM, Worms, Exploits and etc.
![Page 7: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/7.jpg)
Malicious DHCP
![Page 8: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/8.jpg)
Boot
![Page 9: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/9.jpg)
Reversing TDSS networking.
![Page 10: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/10.jpg)
Client to Server
command|noname|30127|0|0.03|0.15|5.1 2600 SP2.0|en-us|iexplore|351|0 and Benchmark(20000000,md5(1))|1614895754
1. Original request
2. RC4 or its modification where Key is the targeted host name
ХЪ7U>tюjЇ\+_Э→/CИY>Kо↓н>4L•xoУч¶@_►F_M!аw♀:Ыp↔d;_fщ☻§ю¶♥0язl
3. BASE64
r1writ0aL0PIWZtL7hntuzRMB3hv0/cUQL4QRrxNIeB3
4EszDdXaN1U+dP5qr1writ0aL0PIWZtL7hntuzRMB3hv0/cUQL4QRrxNIeB3DDr
4. Additional trash
5. HTTPS
![Page 11: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/11.jpg)
Server to Client
1. Set Name parameter – additional unique key for RC4 or its modification
![Page 12: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/12.jpg)
ANALYZING P2P FUNCTIONALITY
![Page 13: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/13.jpg)
Analyzing p2p functionality
KAD.DLL algorithm:
1. Share encrypted file named as “ktzrules”2. Upload kad.dll on TDSS infected PCs3. Kad.dll loads public nodes.dat file with KAD Client/Servers IPs4. Kad.dll searchs for “ktzrules” file in public KAD network5. Kad.dll downloads “ktzrules” and executes commands
![Page 14: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/14.jpg)
Analyzing p2p functionality
KAD.DLL functions:
1. SearchCfg – find “ktzrules” file with commands
2. LoadExe – Find and download exe file from KAD
3. ConfigWrite – write in configuration file
4. Search – find specified file in KAD
5. Publish – publish specified file
6. Knock – download new nodes.dat file
Public KAD Net
Default nodes.dat.
TDSS KAD Net
Nodes.dat with Clean and Infected users IPs
![Page 15: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/15.jpg)
Monitoring active bot
![Page 16: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/16.jpg)
Installs and proxy
![Page 17: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/17.jpg)
Anti-Virus
•Gbot•ZeuS•Clishmic•Optima
Full list includes ~30 malware families name
![Page 18: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/18.jpg)
Getting CnC stats
![Page 19: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/19.jpg)
Getting CnC stats
60 proxy CnCs 3 MySQL DBs
5M infected PCs in 3 months
![Page 20: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/20.jpg)
Summary
•MBR infector – bypass drivers digital signatures protection•x64 rootkit – TDSS works on every modern Windows system•Clicker – click banners and links•Target on Black SEO – promoting web site via Google, Bing, Altavista and more
•P2P botnet – no servers, no centers, sophisticated crypto protection for command file in hidden KAD network. •Own AV – detects more then 30 malware families •Clients Proxy –additional anonymizer via infected PCs•5 millions infected computers
![Page 21: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/21.jpg)
http://www.facebook.com/KasperskyConferencehttp://www.kaspersky.com/educational-events
![Page 22: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/22.jpg)
Kaspersky Lab PowerPoint Template | 12 October 2010
![Page 23: The hidden part of TDSS](https://reader036.vdocuments.net/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/23.jpg)
Thank You
Sergey (k1k) Golovanov, Malware Expert
Global Research and Analysis Team
Kaspersky Lab
Qu35t10n5?