1. /
  2. Security Response/
  3. Backdoor.Tidserv

Backdoor.Tidserv

Risk Level 2: Low

Discovered:
September 18, 2008
Updated:
November 18, 2013 9:34:23 AM
Also Known As:
Backdoor:W32/TDSS [F-Secure], BKDR_TDSS [Trend], Win32/Alureon [Microsoft], Trojan-Dropper.Win32.TDSS [Kaspersky], Packed.Win32.TDSS [Kaspersky],
Type:
Trojan
Systems Affected:
Windows XP, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Backdoor.Tidserv is a Trojan horse that uses an advanced rootkit to hide itself. It also displays advertisements, redirects user search results, and opens a back door on the compromised computer.

In addition to the Backdoor.Tidserv family title, this Trojan is also known as Alureon, TDSS and TDL (multiple versions such as TDL-3 or TDL-4).

Infection
This Trojan is typically distributed using a number of means common to many other well-known threats. Namely it has been observed to be spread by fake blogs rigged with URLs to sensational videos that "must be seen" or bogus blog or forum comments with similar baits. The Trojan may also be found in fake Torrent files and P2P downloads, cracks and warez Web sites, and also hacked legitimate and fake Web sites rigged with exploits for various vulnerabilities allowing for what is known as a "drive-by download" to occur.


Functionality
The functionality that the Trojan exhibits implies that it has been designed with profit-making as its primary objective. Making money from the Web typically involves generating Web traffic, installing pay-per-install software and also by generating sales leads for other Web sites and services of a dubious nature. It tries to achieve its objective by employing an array of techniques to try and make the user participate in these income-generating activities.

The Trojan may, for example, manipulate Web search results so that users are redirected to sites that are affiliated with the Trojan's authors. It may also redirect users to sites hosting Misleading Applications that are likely associated with the pay-per-install income model. The Trojan may also periodically display pop-up advertisements for various products and services, as well as further Misleading Applications. From time to time, it may also contact remote servers for software or updates to itself or its configuration files, making it a versatile and extensible threat.

If all of the techniques mentioned above fail to generate the appropriate response from the user, the Trojan may also directly download other malicious software and Misleading Applications to ensure that at least some income is generated by each infection.

The Trojan also has highly developed stealth capabilities, employing techniques rarely seen in other, less professionally written malicious code. The Trojan infects a system driver file with its own code. The code in the infected driver file acts as a rootkit and loader that directs the computer to load its main routines. The main routines are encrypted and hidden somewhere in the last sectors of the hard disk. The rootkit functionality of the Trojan provides effective cover for the Trojan. Any queries from the operating system about the affected driver file or the disk sectors will return a clean result. No other tell tale symptoms or indicators are seen, unlike with other, more conventional malicious code threats.

More recent variants also manipulate the Master Boot Record (MBR) of the computer to ensure that it is loaded early during the boot up process so that it can interfere with the loading of the operating system.



"Blue Screen of Death" incidents
Recent reports of a spate of Blue Screen of Death (BSOD) incidents began to emerge following Microsoft's monthly patch release for February 9th, 2010. On further investigation it has been determined that many of these incidents were caused by the Microsoft patches accidentally disrupting the chain of execution assumed by the Trojan when patching and hooking the system files. The net result of this is that when the system file APIs are called, the addresses returned by the newly updated files are no longer where the Trojan assumed them to be and this results in an invalid address, thereby causing the error.

The latest news flash has been that the Tidserv gang have patched their rootkit to avoid the infinite reboot issue due to API offsets changes in the kernel module introduced by MS10-015. Research testing showed the infected drivers were indeed able to cope with changes in the kernel API offsets. In order to achieve that they now use hash functions on required API names to retrieve their addresses on the fly, a technique known to have been used in viruses and other threats for years, and yet they had to disable most of their bot network in order to use it. Statistically it has been shown that the number of bugs in a program is proportional to its complexity, or it's source code size. It's a well known fact that in kernel mode, the smallest mistake leads, in most cases, to a BSoD. This may mark the beginning of the end of an otherwise advanced rootkit.



GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.









PREVALENCE
Symantec has observed the following infection levels of this threat worldwide.






SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.


Antivirus signatures


Antivirus (heuristic/generic)


    Browser protection
    Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.


    Intrusion Prevention System

    Antivirus Protection Dates

    • Initial Rapid Release version September 18, 2008 revision 007
    • Latest Rapid Release version December 25, 2014 revision 035
    • Initial Daily Certified version September 18, 2008 revision 008
    • Latest Daily Certified version December 27, 2014 revision 003
    • Initial Weekly Certified release date September 24, 2008
    Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

    Threat Assessment

    Wild

    • Wild Level: Medium
    • Number of Infections: 50 - 999
    • Number of Sites: 3 - 9
    • Geographical Distribution: Medium
    • Threat Containment: Easy
    • Removal: Easy

    Damage

    • Damage Level: High
    • Payload Trigger: Web searches and other user activities on the compromised computer.
    • Payload: Opens a back door on the compromised computer, hijacks Web search results, and displays pop-up advertisements.
    • Modifies Files: Infects low-level driver files such as atapi.sys and the master boot record.
    • Causes System Instability: Infection of low level system files may result in instability of the operating system.

    Distribution

    • Distribution Level: Low
    Writeup By: Hon Lau

    Search Threats

    Search by name
    Example: W32.Beagle.AG@mm
    STAR Antimalware Protection Technologies
    Internet Security Threat Report
    Symantec DeepSight Screensaver