1. /
  2. Security Response/
  3. Backdoor.Tidserv

Backdoor.Tidserv

Risk Level 2: Low

Discovered:
September 18, 2008
Updated:
November 18, 2013 9:34:23 AM
Also Known As:
Backdoor:W32/TDSS [F-Secure], BKDR_TDSS [Trend], Win32/Alureon [Microsoft], Trojan-Dropper.Win32.TDSS [Kaspersky], Packed.Win32.TDSS [Kaspersky],
Type:
Trojan
Systems Affected:
Windows 2000, Windows NT, Windows Server 2003, Windows Vista, Windows XP
1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software

1.3 Address blocking

2. Infection method
2.1 Forums and blogs
2.2 Hacked websites
2.3 File sharing, cracks, and warez
2.4 Affiliate schemes
3. Functionality
3.1. System modifications
3.2. Network activity
3.3. Rootkit functionality
4. Additional information




1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.


1.1 User behavior and precautions
This threat may be spread by users actively clicking on links posted to certain forums or blogs found on the Web. A social engineering lure is often used by the malware creators; a common technique is to add some kind of salacious or sensational news or a statement that will pique the user's interest and entice them to click on the bogus links.

Users can mitigate the risk of infection by being careful about clicking links found on Web sites, such as blogs and forums where there is potentially little control or quality checks on the content. Basic checks such as hovering with the mouse pointer over the link will normally show where the link leads to. Users can also check online Web site rating services such as safeweb.norton.com to see if the site is deemed safe to visit.

When performing searches in search engines, treat any results returned with caution and double-check them before following the links. If pop-up advertisements are displayed, do not click on them or follow any links within them.

Users should be wary of any sites or services offering free downloads of copyrighted content, such as music, videos, or cracked software. These are often booby-trapped with malicious software and are a known method by way of which this threat can spread. Promiscuous file-sharing may also increase the risk of compromise.

If the user is offered an unfamiliar security product by way of pop-ups or other similar methods while browsing the Web, they should exercise extreme caution and, if in doubt, not download and install the software. It is generally safer to buy from a well-known or trusted brand site or buy a product that can be physically bought from your local shop.


1.2 Patch operating system and software
Users are advised to ensure that their operating systems and any installed software are fully patched, and that antivirus and firewall software is up to date and operational. Users should turn on automatic updates if available, so that their computers can receive the latest patches and updates when they are made available.


1.3 Address blocking
Block access to the following addresses using a firewall, router, or add entries to the local hosts file to redirect the following addresses to 127.0.0.1:

  • 1il1il1il.com
  • 69b69b6b96b.com
  • b00882244.cn
  • b11335599.cn
  • countri1l.com
  • d45648675.cn
  • d92378523.cn
  • gnarenyawr.com
  • ikaturi11.com
  • jukdoout0.com
  • lkaturl71.com
  • m3131313.cn
  • ranmjyuke.com
  • rinderwayr.com
  • stableclick.com
  • stableclick2.com
  • swltcho0.com
  • updatemic0.com
  • updatemic1.cn
  • updatepanel.us

Note: The domains used by this threat change frequently.



2. INFECTION METHOD
This threat is known to infect computers through a number of methods. We will examine each of these methods in more detail.


2.1 Forums and blogs
Web 2.0-type services have enabled a whole new world of user participation and interaction not previously possible. Services such as blogs and social networking sites make it much easier for individuals and businesses to reach out to a far larger audience than they otherwise would be able to by traditional means. The substantial increase in audience reach is a power that is not lost on malware authors too.

A typical attack scenario involves the attackers identifying a high-traffic blog or forum with a commenting feature available that allows anonymous comments. A comment with some sensational content may then be added. Typically it may purport to send the user to a video of some event, such as the death of a celebrity or some world disaster -- just about any event that is likely to cause a stir around the world. One such event was the release of the Google Wave service in October 2009. The attackers made use of that event to deliver Backdoor.Tidserv to many unsuspecting users.

One example attack was launched by seeding bogus postings to many different discussion forums. Note the social engineering tricks used to gain trust in the example below. The attacker starts off by explaining that they are a long-time user of the forum and then ends with reassurance that the link is good by referring to a clean result from VirusTotal.




2.2 Hacked websites
Legitimate and sometimes well-known Web sites may fall victim to hack attacks, leading to the planting of malicious code, such as hidden IFRAME tags within their content. This may occur due to incorrectly configured and/or secured servers that may be vulnerable to attacks, allowing an attacker to gain access to the contents of the server.

A well-known technique employing Web and database server hacking involves the so-called SQL injection attacks. Any sites using Web forms backed by a database server may be vulnerable and can succumb to these attacks if any part of the system is not properly secured. If an attack on the server is successful, the attackers may manipulate Web pages by adding extra code at the top or bottom of the page or, if the server is a database, the contents of the database may be manipulated to include links to URLs of the attacker's choice.


2.3 File sharing, cracks, and warez
There are literally masses of pirated content available on the Web, which implies that many people are not prepared to pay for the content and instead go searching for the latest music or videos instead of buying it from a trusted source. This offers a very real and profitable distribution channel for any would-be malware supplier. Since suppliers of illegal content are not officially identified, verified, or tracked it is very easy for a malware creator to make available a new malware file, give it a file name that is related to current and popular content search terms, and then sit back and wait for the downloads to begin.


2.4 Affiliate schemes
There are schemes available on the Internet that promise to pay cash for generating traffic or, in this case, a pay-per-install revenue model where a certain amount of cash is credited for each computer that is installed with some software. While many affiliate schemes are legitimate, there are some who either turn a blind eye to how their members are gaining market share or actively using underhanded tactics to achieve their aims.

Distribution of this threat is most likely driven and aided to a great extent by affiliate schemes. We are aware of at least one affiliate scheme that has been distributing Backdoor.Tidserv on a pay-per-install basis for some time.



The affiliate schemes typically pay a very small sum of money for each installation. For one of the schemes the sum is $0.15 USD. In order to make any significant profit, those involved in this business must upscale their abilities to push and distribute the software. For owners of bot networks with hundreds of thousands of nodes, it can present a not-to-be-missed, profit-making opportunity. For example, take a typical botnet with 200,000 nodes. If all of the bots were successfully instructed to download and install the software, it could earn the controllers of the botnet in the region of $30,000.

Since there is potentially such a large financial gain to be made from signing up for these affiliate services, it is understandable that there are many enterprising people around the world who are happy to sign up and use any means possible (including illegal ones) to get the software onto as many computers as possible.



3. FUNCTIONALITY
Backdoor.Tidserv is primarily a profit-making enterprise and as such it aims to try to stay undetected on a compromised computer for as long as possible. It tries to do this by using advanced stealth techniques including a rootkit to hide traces of itself and its activities.

Once it is successfully installed on a computer, its primary purpose is to perform activities that will help to generate revenue for those behind the attack. Therefore it comes as no surprise to find that its payload performs activities that are aimed at making the user visit Web sites that are associated with money-making schemes and also download and install software that they do not necessarily need or want.


3.1 System modifications
The following side effects may be observed on computers compromised by this Trojan. It should be noted that the threat uses a rootkit and other advanced stealth techniques to hide itself and its side effects. Upon successful installation and execution, any changes may not be visible on the compromised computer except where specialist tools are used to reveal them.


File creation
The following file(s) may be seen on the compromised computer.
  • %System%\spool\prtprocs\[TEMPORARY FILE NAME].tmp (Initial executable file)
  • %System%\drivers\TDSServ.sys
  • %System%\TDSS[RANDOM VALUE].log
  • %System%\TDSS[RANDOM VALUE].dat
  • %System%\TDSS[RANDOM VALUE].dll
  • %System%\drivers\H8SRTd.sys

File deletion
The following file(s) may be deleted from the compromised computer.
%System%\spool\prtprocs\[TEMPORARY FILE NAME].tmp (Initial executable file)


File modification
The following file(s) may be modified on the compromised computer.
  • atapi.sys (file infection)
  • advapi32.dll (file infection)
  • iastor.sys (file infection)
  • idechndr.sys (file infection)
  • ndis.sys (file infection)
  • nvata.sys (file infection)
  • vmscsi.sys (file infection)

The infection of system drivers and low level system files may cause instability in the operating system. It has been observed that certain computers infected by Backdoor.Tidserv may experience a Blue Screen of Death (BSOD) error after applying the Microsoft patches from February 9th, 2010.





Installation
During installation, the threat will cause spoolsv.exe (print spooler) to load the code for the threat. The code loaded into memory may hold one or more of the following logical files:
  • tdlwsp.dll (for hooking search queries)
  • tdlcmd.dll (main back door functionality)
  • config.ini (configuration details)

More information on the functionality of these files is as follows:


tdlcmd.dll
This file contains code to perform the following activities:
  • Download, decrypt, and execute files.
  • Update the configuration file.

tdlwsp.dll
The file contains code to perform the following activities (the latest variants have the functionality of tdlwsp.dll incorporated into tdlcmd.dll):
  • Hook Winsock routines to allow it to examine network traffic.
  • Log search engine strings and send them to a remote computer.
  • Inject or build HTTP responses so that it may modify or replace Web content returned by a Web server during a browsing session.

config.ini
This is a configuration file detailing bot identifiers, version information and other parameters.

Here is a sample config.ini file:

[main]
quote=Tomorrow will be the most beautiful day of Raymond K. Hessel's life
version=3.241
botid=xxxxx
affid=20273
subid=0
installdate=7.2.2010 16:8:33
builddate=7.2.2010 15:1:5
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://d45648675.cn/;https://d92378523.cn/;https://91.212.226.62/
wspservers=http://b11335599.cn/;http://b00882244.cn/
popupservers=http://m3131313.cn/
clkservers=http://clkmfd001.ws/
version=3.64
delay=7200
[tasks]
tdlcmd.dll=https://91.212.226.64/pOxhFds1itxq

Once the code for the threat is installed, it deletes the original executable file that was executed and by doing this removes any obvious traces of its presence on the file system. Next, it infects one of the lowest level of drivers (atapi.sys) and manipulates it to load the threat when the computer is started.

It then creates an RC4-encrypted file system (the key used is "tdl") on the last sectors of the hard disk and stores the logical files (tdlwsp.dll, tdlcmd.dll, config.ini, and the original portion of the infected driver file) from the memory in the newly created file system. Once these actions are completed, there will be no visible traces of the threat when examining the file system of the computer except, eventually, for a change in the size of the infected driver file.

After the computer is restarted, the infected driver file (atapi.sys) will load the threat from the end sectors of the hard disk. It will create the hooks for the rootkit to do its job as well as injecting the code from tdlcmd.dll into all processes or into specific processes as defined in the config.ini file.


Manipulation of the Master Boot Record
More recent variants of Tidserv such as variant Backdoor.Tidserv.L (since August 2010) and Backdoor.Tidserv.M (January 2011) have adopted a technique pioneered by another sophisticated threat, Trojan.Mebroot. The technique involves replacing the existing MBR with another copy that enables the threat to get loaded first during the boot up process. The original MBR and components used by the threat is then copied to sectors of the hard disk that are unknown to the operating system, usually located in slack space after the end of the main partitions.



The MBR technique enables the threat to gain full control over the computer as it will be loaded even before the operating system. It takes advantage of the early loading to manipulate the boot up process to bypass security measures and ensure that it is executed each time the operating system is started.



Registry subkeys and entries created
  • HKEY_CURRENT_USER\Software\Mozilla\affid=
  • HKEY_CURRENT_USER\Software\Mozilla\subid=
  • HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT\injectors
  • HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT
  • HKEY_LOCAL_MACHINE\SOFTWARE\TDSS
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSServ
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSServ.sys
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSServ.sys

Registry subkeys/entries deleted
No registry keys or entries are deleted.


Registry subkeys/entries modified (final values given)
No registry keys or entries are modified.


3.2 Network activity
The threat may be controlled remotely by a command-and-control (C&C) server. In particular it may be instructed to download and install various files which are related to other malicious threats.

The threat may perform the following network activities.

Downloading
The following download activities may be performed by the threat:
  • Download, decrypt, and execute files.
  • Download a new configuration file.

The following domains have been noted to be contacted by this threat:
  • 1il1il1il.com
  • 69b69b6b96b.com
  • b00882244.cn
  • b11335599.cn
  • countri1l.com
  • d45648675.cn
  • d92378523.cn
  • gnarenyawr.com
  • ikaturi11.com
  • jukdoout0.com
  • lkaturl71.com
  • m3131313.cn
  • ranmjyuke.com
  • rinderwayr.com
  • stableclick.com
  • stableclick2.com
  • swltcho0.com
  • updatemic0.com
  • updatemic1.cn
  • updatepanel.us

The threat may also download other malware threats onto the computer. The downloaded files may use the following prefixes in their file names:
  • UAC
  • EQSUL
  • Gaopdx
  • kbwik
  • rotscx
  • kungs
  • vsf
  • gasfky

Uploading
Strings used by the user in search engine queries are gathered and sent to remote computers. The following domains have been noted but are subject to change, since configuration files are updated regularly.
  • d45648675.cn
  • d92378523.cn
  • b11335599.cn
  • b00882244.cn
  • m3131313.cn
  • updatepanel.us
  • stableclick.com
  • stableclick2.com
  • updatemic0.com
  • updatemic1.cn

Other network activity
The threat will constantly monitor the user's browser activity. It may watch for URLs requested that contain strings for many popular search engines including:
  • google.com
  • yahoo.com
  • bing.com
  • live.com
  • ask.com
  • aol.com
  • google-analytics.com
  • yimg.com

When it identifies such a URL, it will try to extract the parameters from the URL such as "q=" or "query=". In addition it will also either block or redirect the HTTP request.

The threat may also query the C&C server by sending it URLs. The C&C server may instruct the threat to perform a range of activities including actions such as injecting JavaScript into the response to redirect the browser to another page, initiating a go-back step in the Web browser or a HTTP 302 redirect to another page.

It also parses incoming responses from sent requests to check for any forbidden URLs. Fake content is injected into the response to replace the forbidden content. The response is also checked to see if any pop-up advertisements or misleading application Web sites should be displayed. For example if a user was searching for antivirus or some IT security threat, the Trojan may redirect the browser to visit a site that is hosting a misleading application or a fake antivirus scanner.



By hijacking the search results in this manner, the threat is exploiting the user's trust in the brand of the search engine that they are using. It also allows the threat to know specifically what the user is looking for and it can then supply convincing and targeted alternatives that can make money for the attackers. The context-sensitive nature of this technique increases the likelihood of its success.


3.3 Rootkit functionality
The threat uses an advanced rootkit and stealth techniques that provide highly effective cover from detection. It achieves this by:
  • Hiding its own files in the end sectors of the hard disk, bypassing the traditional file system.
  • Hiding the end sectors of the hard disk; the threat returns a 0-byte buffer when any other applications attempt to access or query the protected sectors.
  • Removing itself from the list of loaded drivers.
  • Infecting the lowest level of drivers and then returning the clean areas of the file when it is read by other processes.



4. ADDITIONAL INFORMATION
For more information relating to this threat family, please see the following resources:

Blog entries on Backdoor.Tidserv

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Hon Lau
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver