Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Yuki Hsu (Senior Engineer)

    Early December last year, Microsoft –  in cooperation with certain law enforcement agencies –  announced their takedown of the ZeroAccess operations. However, this also unexpectedly affected another well-known botnet, TDSS.

    TDSS and ZeroAccess

    ZeroAccess is one of the most notable botnets in the world, with its malware known for rootkit capability. This malware is typically downloaded from peer-to-peer (P2P) networks disguised as pirated movie titles. Similarly, TDSS is known for its rootkit technology to bypass and is noted for distributing other malware such as FAKEAV, DNS changers. Both botnets are involved in click fraud operations.

    In our previous blog entry, we mentioned how certain ZeroAccess variants redirect to URLs associated with TDSS, suggesting that the two botnets share portions of their command-and-control (C&C) infrastructure. As we monitored the connection between the two botnets, we found that the number of ZeroAccess customer infections and communications significantly dropped the day after the takedown. Among those systems with ZeroAccess infections, only 2.8% attempted (but failed) to communicate with its C&C servers.

    Figure 1. ZeroAccess activity from Nov. – Dec. 2013

    During the same period, we observed that the click fraud operations of TDSS were noticeably affected. The number of TDSS communications related to click fraud dropped days after December 5, the date when Microsoft announced their takedown of the ZeroAccess botnet. These activities, however, suddenly picked up before the year ended, suggesting that the click fraud side of TDSS is still active and the takedown’s impact may be temporary.

    Figure 2. TDSS click fraud activity from Nov. – Dec. 2013

    However, the number of TDSS infections and communications were not impacted by the takedown, which indicates that only its click fraud side was affected.

    Figure 3. TDSS activity from Nov. – Dec. 2013

    The Botnet Connection

    This significant decrease in TDSS click fraud operations has something to do with its connection to ZeroAccess’s own click fraud. As we noted in our previous research, since both botnets perform click fraud, they may have exchanged URL lists with each other to generate more money. Proof of this nefarious deal between these two notorious botnets can be seen in the redirection URLs used by ZeroAccess.

    When initiating click fraud, we noticed several ZeroAccess variants redirecting to URLs related to TDSS. These redirections in turn, increase the number of clicks gathered by TDSS thus creating more profit for its perpetrators. We also noticed that TDSS malware, in particular versions DGAv14 use the old ZeroAccess domain generation algorithm (DGA) module, while new ZeroAccess variants has adopted DGAv14 features.

    Though the ZeroAccess takedown was disruptive to TDSS money-making schemes, its infections and communications remained business-as-usual, which means the TDSS botnet is likely profiting from other botnets.

    Trend Micro users are protected from this threat by detecting both TDSS and ZeroAccess variants andblocks access to the related URLs. As an added precaution, we advise users to refrain from downloading files from unverified sites and peer-to-peer (P2P) networks, where ZeroAccess variants are known to be downloaded from.

    Posted in Malware | Comments Off on ZeroAccess Takedown and the TDSS Aftermath

    TDSS and ZeroAcess are both well-known threats that have many common characteristics. Both are difficult to remove rookits, both engage in click fraud and use peer-to-peer communication techniques. Some may even wonder if these similar threats come from the same group of cybercriminals.

    In September 2012, researchers found several TDSS variants which were called “DGAv14″. These variants were distinguished by its use of randomly generated domains. However, we have identified interesting findings about these random domains, which suggest that they are also used by ZeroAccess.

    Using Smart Protection Network feedback, we analyzed some interesting HTTP traffic, which we initially thought to be sent by TDSS DGAv14 versions. But upon closer examination, we found that this traffic was instead sent by ZeroAccess/SIREFEF variants.

    This misidentification was due to this new TDSS variant’s use of the same domain as old versions of ZeroAccess. For example, on one particular day we identified this URL being used by ZeroAccess:

    • http://{blocked domain}/stat2.php?w=188&i=000000000000000000000000a5fa853e&a=6

    On the very same day, we found the following URL being used by a TDSS/DGAv14 variant:

    • http://{blocked domain}/{179-character encoded random string}

    The domain names used in both cases was identical. In addition, the way both malware families make money (such as click fraud) remains the same.

    In addition to the above connection, some newer ZeroAccess variants show other connections with TDSS. When we examine the traffic sent by both TDSS and these ZeroAccess variants, we find that they send information in similar ways. Both encode their traffic using base64 and pad this text with garbage characters at the beginning and end.

    TDSS has traditionally used this method, but it seems that ZeroAccess has adapted this as well. However, this does not mean that ZeroAccess is now imitating TDSS. We believe that the domain generation algorithm module used by older ZeroAccess malware has now been adapted by TDSS specifically the DGAv14 variants.

    However, key differences still exist between TDSS and ZeroAccess. Both still maintain separate P2P networks, with similar features but different implementation. In addition, ZeroAccess always infects COM objects and service.exe, whereas TDSS always infects the MBR. ZeroAccess will also disable TDSS on systems that the former infects.

    The illustration below summarizes the relationships between TDSS and ZeroAccess:

    Figure 1. ZeroAccess and TDSS relationships

    In summary, we believe that there are now some ties between the TDSS and ZeroAccess families. This does not necessarily mean that the cybercriminals responsible are directly collaborating – the DGA module may have been acquired from a third party, and/or TDSS may be making money by hosting parts of ZeroAccess. We will continue to monitor and investigate these threats in order to protect our customers.

    For more information on TDSS and ZeroAccess, please check our past posts below:

    Posted in Malware | 1 TrackBack »


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice