Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    TDSS and ZeroAcess are both well-known threats that have many common characteristics. Both are difficult to remove rookits, both engage in click fraud and use peer-to-peer communication techniques. Some may even wonder if these similar threats come from the same group of cybercriminals.

    In September 2012, researchers found several TDSS variants which were called “DGAv14″. These variants were distinguished by its use of randomly generated domains. However, we have identified interesting findings about these random domains, which suggest that they are also used by ZeroAccess.

    Using Smart Protection Network feedback, we analyzed some interesting HTTP traffic, which we initially thought to be sent by TDSS DGAv14 versions. But upon closer examination, we found that this traffic was instead sent by ZeroAccess/SIREFEF variants.

    This misidentification was due to this new TDSS variant’s use of the same domain as old versions of ZeroAccess. For example, on one particular day we identified this URL being used by ZeroAccess:

    • http://{blocked domain}/stat2.php?w=188&i=000000000000000000000000a5fa853e&a=6

    On the very same day, we found the following URL being used by a TDSS/DGAv14 variant:

    • http://{blocked domain}/{179-character encoded random string}

    The domain names used in both cases was identical. In addition, the way both malware families make money (such as click fraud) remains the same.

    In addition to the above connection, some newer ZeroAccess variants show other connections with TDSS. When we examine the traffic sent by both TDSS and these ZeroAccess variants, we find that they send information in similar ways. Both encode their traffic using base64 and pad this text with garbage characters at the beginning and end.

    TDSS has traditionally used this method, but it seems that ZeroAccess has adapted this as well. However, this does not mean that ZeroAccess is now imitating TDSS. We believe that the domain generation algorithm module used by older ZeroAccess malware has now been adapted by TDSS specifically the DGAv14 variants.

    However, key differences still exist between TDSS and ZeroAccess. Both still maintain separate P2P networks, with similar features but different implementation. In addition, ZeroAccess always infects COM objects and service.exe, whereas TDSS always infects the MBR. ZeroAccess will also disable TDSS on systems that the former infects.

    The illustration below summarizes the relationships between TDSS and ZeroAccess:

    Figure 1. ZeroAccess and TDSS relationships

    In summary, we believe that there are now some ties between the TDSS and ZeroAccess families. This does not necessarily mean that the cybercriminals responsible are directly collaborating – the DGA module may have been acquired from a third party, and/or TDSS may be making money by hosting parts of ZeroAccess. We will continue to monitor and investigate these threats in order to protect our customers.

    For more information on TDSS and ZeroAccess, please check our past posts below:

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • NotHappy

      All this research and TrendMicro AV still didn’t detect ZeroAccess on a system yesterday but my IDS caught traffic from the same system that was confirmed to be ZeroAccess.

      Happens quite a bit where Trend fails to recognize malware but other measures do.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice