Počet zobrazení stránky

středa 4. dubna 2012

Trojan-Dropper.Win32.TDSS.ddf


Technical Details

This Trojan masks its presence in the system from users and from other programs. It is a Windows application (PE EXE file). It is 92 160 bytes in size.

Installation

The following operating systems are required for it to launch:
Windows Vista 
Windows XP Professional x64 Edition 
Windows Server 2008, Windows Server 2003 with SP1
Once launched, it deletes its original file and writes its loader to the hard drive's MBR. This allows the Trojan to obtain full administrative rights before the operating system boots.
The rootkit uses its own file encryption system outside of the marked area where configuration data and additional user libraries are stored.
The rootkit also hooks DriverStartIO in the driver-miniport for the hard drive controller in order to service requests for its files.
It infects one randomly selected system driver, into which it injects its code. This allows the rootkit to download its body from the disk and then to return control.
In order to hide its presence in the system, it installs hooks in the following system core functions:
IofCallDriver; 
IofCompleteRequest;
NtFlushInstructionCache; 
NtEnumerateKey;
NtSaveKey;
NtSaveKeyEx.

Payload

When launched the Trojan injects its script into all system processes. It uses these system processes to try to download the configuration file from the controlling server specified in the "wspservers" parameter:
http://zlo***cv1.com/
http://71h***l01.com/
http://axj***0h.com/
http://rf9***16zzl.com/
http://dsg***4aa17.com/
http://l1i1***o8as0.com/
http://7ga***ja90a.com/
http://n1***1s6cx0.com/
The addresses of rootkit's administration consoles are listed in the "servers" parameter:
https://19j***300z.com/
https://lj***b0.com/
https://li1***b0.com/
https://zz8***da88.com/
https://n1***53.com/
https://01***x00.cc/
It executes the following controlling server commands:
DownloadCrypted means download encrypted file;
DownloadAndExecute means download and execute a file;
DownloadCryptedAndExecute means download encrypted file, decrypt and execute this file;
Download means download file;
ConfigWrite means modify configuration file.
The rootkit's code functions only in the following processes:
*explo* 
*firefox* 
*chrome* 
*opera* 
*safari* 
*netsc* 
*avant* 
*browser* 
*mozill* 
*wuauclt*
During its operation, the injected rootkit tracks the following sites visited by the user:
Falexametrics.com    fimservecdn.com myspacecdn.com  .tqn.com    searchvideo.com flickr.com  .com.com    oneriot.com picsearch.com   twimg.com   adcertising.com openx.org   truveo.com  tacoda.net  doubleverify.com    atwola.com  meedea.com  wazizu.com  yieldmanager.com    worthathousandwords.com firmserve.com   compete.com lygo.com    superpages.com  edgesuite.net   infospace.com   ytimg.com   66.235.120.67   66.235.120.66   scorecardresearch.com   iwon.com    doubleclick.net 2mdn.net    yimg.com    powerset.net    ivwbox. atdmt.com   virtualearth.net    gstatic.com abmr.net    adbureau.net    tribalfusion.com    adrevolver.com  everesttech.net othersonline.com    aolcdn.com  twitter.com wikimedia.org   wikipedia.org   youtube.com facebook.com    amazon.com  adobe.com   macromedia.com  blinkx.com  alexa.com   conduit.com answers.com myspace.com about.com   mamma.com   .search.com .lycos. alltheweb.com   webcrawler.com  metacrawler.com dogpile.com excite.com  exalead.com ask.com altavista.com   msn.com live.com yahoo google
This information is sent to the controlling server together with system configuration parameters. In response the server sends the page that has to be displayed to the user.
The rootkit modifies queries to major search engines to implement "Black Search Engine Optimization" (Black SEO). On the part of the drive encrypted by the rootkit, the "keywords" file is created; this contains the words that must be sent to the search engine. Then, the site specified by the malicious user is displayed in search results. The Trojan uses JavaScript to fully emulate a user operating a search engine. This script is injected into the browser and simulates clicking on the corresponding links.
It contains a clicker functionality and visits sites specified in the "clkservers" parameter:
http://z0***1i0.com/
It displays pop-up windows, the server of which is listed in the "popupservers" parameter:
http://clk***s66.com/
Rootkit's version number:
3.273
Propagator's identifier:
20694
Date and time when rootkit was created:
13.07.2010 9:40

Žádné komentáře:

Okomentovat