The TDSS family of malware remains a significant threat to users today, largely due to its powerful stealth capabilities that hide its main components from security applications. This can be seen in the large number of detections that we see regularly, as shown in the following chart:
We’ve even seen TDSS variants that use high-profile vulnerabilities to spread. Samples of a new TDSS variant, WORM_TDSS.TX, use the infamous LNK vulnerability (first brought to public attention by STUXNET) to propagate. (The shortcut file is detected as EXPL_CPLNK.SMA.)
There are two techniques that TDSS uses for its autostart routines:
- Randomly choosing a system driver file (normally seen in %Windows%System32Drivers), modifying its resource section, and using this to directly read hard disk sectors and to assemble its .DLL file for its main malware behavior.
- Modifying the Master Boot Record (MBR) and using this to directly read hard disk sectors and to assemble its .DLL file for its main malware behavior.
The second technique was already discussed in the blog post “Mebroot Variants Behaves Like TDSS.” In this post, I will only concentrate on the first technique and will not discuss the installation process of the malware.
The patched and compromised file is detected as BKDR_TIDSERV.DZ. TDSS targets BootExecute applications that are started by the Session Manager (smss.exe) before invoking the initial command (Winlogon in Windows XP) and before various subsystems were started. User-mode applications are not yet running at this point. Because they run so early, there is significant restriction on BootExecute applications: they must be native applications.
In this context, “native” means that only the Windows NT Native API, a resident in ntdll.dll, is available. At this stage, the Win32 subsystem, composed of the kernel-mode win32k.sys component and the user-mode client/server runtime CSRSS have not yet been started by SMSS. Not even the Kernel32 library is usable by BootExecute applications. This can be seen in the screenshot below: