New Tidserv Variant Downloads 50 MB Chromium Embedded Framework
Tidserv (a.k.a. TDL) is a complex threat that employs rootkit functionality in an attempt to evade detection. The malware continues to be on the Symantec radar since its discovery back in 2008. The latest variant of Tidserv being distributed in the wild has began to employ the legitimate Chromium Embedded Framework (CEF). While this may not be the first time a malware has made use of a legitimate framework for nefarious purposes, this new Tidserv variant requires the download of the 50 MB framework to function correctly, which is an unusual thing for a threat to do.
The Backdoor.Tidserv variant uses a modular framework that allows it to download new modules and inject them into clean processes. Previous variants of Tidserv had used a serf332 module to perform network operations, such as link clicking and ad popups. It does this using COM (Component Object Model) objects to open Web pages and inspect page content. In the last week we have observed Tidserv downloading a new module called cef32. This new cef32 module has been found to have the same functionality as serf332 but requires cef.dll which is part of the CEF. Unusually, this requires a download of the full 50 MB CEF to the compromised system.
There has been a considerable increase in the download of the CEF over the last 18 days. While we cannot be certain as to how many of these downloads may relate to Tidserv infection activities, if these downloads are a result of the malware the number of computers compromised with Tidserv would be sizeable.
Figure 1. Chromium Embedded Framework downloads, last 18 days
Using the CEF allows Tidserv to move a lot of the basic Web browser functionality out of its own modules and into the CEF library. This allows for smaller modules that are easier to update with new functionality. The downside of Tidserv using CEF is that the cef32 module needs the CEF cef.dll Dynamic Link Library in order to load. The URL to the CEF zip file for download is currently hardcoded in the serf332 binary, so any change to this URL will require an update to the serf332 module.
The Chromium Embedded Framework (CEF) and its authors do not condone or promote the use of the CEF framework for illegal or illicit purposes. They will take all actions reasonably within their power to frustrate this use case. For that reason the binary that was being used by the malware product from the Google Code project page has been deleted. Other means of providing free binaries to users that protect, as much as possible, against this or similar abuses will be explored.
Symantec is continuing to track the evolution of threats such as Tidserv. Symantec recommends that you use the latest STAR Malware Protection Technologies to ensure the best possible protections are in place.