View Full Version : TDS rootkit
fenugrec
2008-12-09, 00:41
Hi all,
Obviously I'm here because "computah is broken" -
I'm writing this from another one.
With suspicious behaviour on the sick comp (all google hits
redirected to go.google.com , other creepy stuff) I decided
to scan my computer. Spybot wouldn't even start (how
peculiar), and AVG update center couldn't get updates
from the internet (redirected to 127.0.0.1 !!!), etc.
Safe mode changed none of this.
I fired up rootalyzer 0.2.1.35 - it found a bunch of hidden
.dll files,
File:"Hidden file","C:\WINDOWS\system32\TDSScfub.dll"
File:"Hidden file","C:\WINDOWS\system32\TDSSfpmp.dll"
File:"Hidden file","C:\WINDOWS\system32\TDSSnrsr.dll"
File:"Hidden file","C:\WINDOWS\system32\TDSSoeqh.dll"
File:"Hidden file","C:\WINDOWS\system32\TDSSosvd.dat"
File:"Hidden file","C:\WINDOWS\system32\TDSSriqp.dll"
File:"Hidden file","C:\WINDOWS\system32\TDSStkdv.log"
They are indeed very well hidden. trying to DIR them from a cmd-prompt
gives "The parameter is incorrect", instead of a "File not found"
I managed to load the latest Spybot SD with a USB drive,
scanned the whole computer and it found one
"Win32.TDSS.rtk" key in the registry, but no mention about files.
(interesting note, the key is invisible from regedit !?)
So I'm pretty stuck here (not to mention super-pissed), any ideas,
things to try ?
Haven't tried just "del TDS*.*" , not sure if that will completely fix
the problem, and am -very- cautious about trying random "fixes"
that can be found on the net.
If you double-click a file in RootAlyzer, the dialog appearing should allow you to delete the files.
If you want to see and delete thew directly in your filesystem, our Total Commander plugins (http://forums.spybot.info/downloads.php?id=3) do give you a chance to browse your harddisk in "NT native mode" where these files will most likely show up.
If ou can access them this way, you could send an archive with a copy of them (give them a different name when copying them before packing in case the hiding mechanism works by filename only and not includes the path) to detections@spybot.info ;)
The detection rules regarding this trojan horse have been improved last week and are currently located in our beta. Please download the current beta file and put it onto your usb drive as well. Just hit the checkbox "Display beta updates" at the first SDUpdater dialog.
fenugrec
2008-12-09, 17:49
Hi,
thanks for the replies!
I managed to fix few things, but the clean-up might not be complete yet.
I found that I could have the offending driver TDSS???.sys show up in the device manager using the "devmgr_show_nonpresent_devices" trick. Then, astonishingly, I was able to just disable the TDSS driver - then, after a reboot, it was succesfully de-activated ! (all of its resource& file hiding was now inactive)
Well, now I managed to delete the TDSS* files in /system32/ . I zipped a copy of those files, but I didn't keep the special .sys driver that was doing the hiding. (Once I had disabled it, AVG was able to see & delete the file - a bit too fast for me).
PepiMK: Thanks for tip about the plugins, that's just the kind of tool that was lacking in my rescue kit (I got to say the Sysinternals utilities helped me a lot here)
The detection rules regarding this trojan horse have been improved last week and are currently located in our beta. Please download the current beta file and put it onto your usb drive as well. Just hit the checkbox "Display beta updates" at the first SDUpdater dialog.
Will certainly do- as soon as I get home. Should I still email my infected files ?
A quick inspection of those files revealed a few interesting things - one of them starts with <!- and a bunch of rubbish, looks a lot like a script exploit and most probably is how I got this load of trouble in the first place.
Thanks for your time !
for future reference the TDS trojan blocks most executables, rename it from .exe to .bat and it will load up,
also i would d/c you network while scanning to avoid any damage from the remote attack (since TDS opens buncha ports)
dj.turkmaster
2009-01-17, 12:31
Hello,
This TDS rootkit is a really tough one. I am a ahijackthis analyzer in a Turkish computer security foum. And in the last week we have lots of people affected by this rootkit. It blocks spybot,combofix, Sophos anti-rootkit, also blocks the download site of The Avenger. The Avenger finds the rootkit but fails to remove it. Gmer says it is clean. If it helps you can look at the link I'll give and you can see the log files. Maybe it will help you. And if it helps this is the infected files I found on the machine they are probably assosicated to the TDS rootkit.
http://doctus.org/pc-donmas-cbj-t35209p2.html
Rootkit::
C:\WINDOWS\system32\drivers\koevlppuqffkir.sys
\systemroot\system32\drivers\TDSSpqxt.sys
C:\WINDOWS\system32\drivers\TDSSpqxt.sys
Driver::
Seekeen Service
TDSSserv.sys
kunbbdrqhjj
File::
C:\WINDOWS\system32\drivers\koevlppuqffkir.sys
\systemroot\system32\drivers\TDSSpqxt.sys
C:\WINDOWS\system32\drivers\TDSSpqxt.sys
C:\WINDOWS\system32\gasretyw1.dll
C:\WINDOWS\system32\gasretyw0.dll
C:\WINDOWS\system32\kamsoft.exe
C:\0w.com
C:\WINDOWS\msauc.exe
C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll
C:\Program Files\ToggleEN\tbTogg.dll
C:\WINDOWS\system32\crypts.dll
C:\WINDOWS\system32\twext.exe
C:\WINDOWS\system32\twex.exe
Folder::
C:\Documents and Settings\All Users\Application Data\Seekeen
C:\Program Files\ToggleEN
C:\Program Files\Conduit
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\DOCUME~1\AHMETY~1\LOCALS~1\Temp\fkflbh.exe"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"kamsoft"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"lsass driver"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{baa93f5c-faaf-11d7-8849-000d877d6101}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79660eb0-dea3-11dd-8811-000d877d6101}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b6fa958-faa7-11d7-8832-000d877d6101}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]