Results 1 to 6 of 6

Thread: TDS rootkit

  1. #1
    Junior Member
    Join Date
    Dec 2008
    Posts
    2

    Default TDS rootkit

    Hi all,
    Obviously I'm here because "computah is broken" -
    I'm writing this from another one.
    With suspicious behaviour on the sick comp (all google hits
    redirected to go.google.com , other creepy stuff) I decided
    to scan my computer. Spybot wouldn't even start (how
    peculiar), and AVG update center couldn't get updates
    from the internet (redirected to 127.0.0.1 !!!), etc.
    Safe mode changed none of this.

    I fired up rootalyzer 0.2.1.35 - it found a bunch of hidden
    .dll files,
    Code:
    File:"Hidden file","C:\WINDOWS\system32\TDSScfub.dll"
    File:"Hidden file","C:\WINDOWS\system32\TDSSfpmp.dll"
    File:"Hidden file","C:\WINDOWS\system32\TDSSnrsr.dll"
    File:"Hidden file","C:\WINDOWS\system32\TDSSoeqh.dll"
    File:"Hidden file","C:\WINDOWS\system32\TDSSosvd.dat"
    File:"Hidden file","C:\WINDOWS\system32\TDSSriqp.dll"
    File:"Hidden file","C:\WINDOWS\system32\TDSStkdv.log"
    They are indeed very well hidden. trying to DIR them from a cmd-prompt
    gives "The parameter is incorrect", instead of a "File not found"


    I managed to load the latest Spybot SD with a USB drive,
    scanned the whole computer and it found one
    "Win32.TDSS.rtk" key in the registry, but no mention about files.
    (interesting note, the key is invisible from regedit !?)

    So I'm pretty stuck here (not to mention super-pissed), any ideas,
    things to try ?
    Haven't tried just "del TDS*.*" , not sure if that will completely fix
    the problem, and am -very- cautious about trying random "fixes"
    that can be found on the net.

  2. #2
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    If you double-click a file in RootAlyzer, the dialog appearing should allow you to delete the files.

    If you want to see and delete thew directly in your filesystem, our Total Commander plugins do give you a chance to browse your harddisk in "NT native mode" where these files will most likely show up.

    If ou can access them this way, you could send an archive with a copy of them (give them a different name when copying them before packing in case the hiding mechanism works by filename only and not includes the path) to detections@spybot.info
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  3. #3
    Member of Team Spybot Buster's Avatar
    Join Date
    Oct 2005
    Location
    Bochum/Germany
    Posts
    389

    Default

    The detection rules regarding this trojan horse have been improved last week and are currently located in our beta. Please download the current beta file and put it onto your usb drive as well. Just hit the checkbox "Display beta updates" at the first SDUpdater dialog.
    "The advantage of wisdom is that you can always act the fool. The opposite is quite tough."

    K. Tucholsky

    _______________________________________________________________

    Please help us improve Spybot and download our distributed testing client.

  4. #4
    Junior Member
    Join Date
    Dec 2008
    Posts
    2

    Default

    Hi,
    thanks for the replies!
    I managed to fix few things, but the clean-up might not be complete yet.

    I found that I could have the offending driver TDSS???.sys show up in the device manager using the "devmgr_show_nonpresent_devices" trick. Then, astonishingly, I was able to just disable the TDSS driver - then, after a reboot, it was succesfully de-activated ! (all of its resource& file hiding was now inactive)

    Well, now I managed to delete the TDSS* files in /system32/ . I zipped a copy of those files, but I didn't keep the special .sys driver that was doing the hiding. (Once I had disabled it, AVG was able to see & delete the file - a bit too fast for me).

    PepiMK: Thanks for tip about the plugins, that's just the kind of tool that was lacking in my rescue kit (I got to say the Sysinternals utilities helped me a lot here)

    Quote Originally Posted by Buster View Post
    The detection rules regarding this trojan horse have been improved last week and are currently located in our beta. Please download the current beta file and put it onto your usb drive as well. Just hit the checkbox "Display beta updates" at the first SDUpdater dialog.
    Will certainly do- as soon as I get home. Should I still email my infected files ?
    A quick inspection of those files revealed a few interesting things - one of them starts with <!- and a bunch of rubbish, looks a lot like a script exploit and most probably is how I got this load of trouble in the first place.

    Thanks for your time !

  5. #5
    Junior Member
    Join Date
    Jan 2009
    Posts
    1

    Default

    for future reference the TDS trojan blocks most executables, rename it from .exe to .bat and it will load up,

    also i would d/c you network while scanning to avoid any damage from the remote attack (since TDS opens buncha ports)

  6. #6
    Senior Member dj.turkmaster's Avatar
    Join Date
    Feb 2007
    Location
    TURKEY/Ankara
    Posts
    139

    Default

    Hello,
    This TDS rootkit is a really tough one. I am a ahijackthis analyzer in a Turkish computer security foum. And in the last week we have lots of people affected by this rootkit. It blocks spybot,combofix, Sophos anti-rootkit, also blocks the download site of The Avenger. The Avenger finds the rootkit but fails to remove it. Gmer says it is clean. If it helps you can look at the link I'll give and you can see the log files. Maybe it will help you. And if it helps this is the infected files I found on the machine they are probably assosicated to the TDS rootkit.
    http://doctus.org/pc-donmas-cbj-t35209p2.html

    Code:
    Rootkit::
    C:\WINDOWS\system32\drivers\koevlppuqffkir.sys
    \systemroot\system32\drivers\TDSSpqxt.sys
    C:\WINDOWS\system32\drivers\TDSSpqxt.sys
    
    Driver::
    Seekeen Service
    TDSSserv.sys
    kunbbdrqhjj
    
    File::
    C:\WINDOWS\system32\drivers\koevlppuqffkir.sys
    \systemroot\system32\drivers\TDSSpqxt.sys
    C:\WINDOWS\system32\drivers\TDSSpqxt.sys
    C:\WINDOWS\system32\gasretyw1.dll
    C:\WINDOWS\system32\gasretyw0.dll
    C:\WINDOWS\system32\kamsoft.exe
    C:\0w.com
    C:\WINDOWS\msauc.exe
    C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll
    C:\Program Files\ToggleEN\tbTogg.dll
    C:\WINDOWS\system32\crypts.dll
    C:\WINDOWS\system32\twext.exe
    C:\WINDOWS\system32\twex.exe
    
    
    Folder::
    C:\Documents and Settings\All Users\Application Data\Seekeen
    C:\Program Files\ToggleEN
    C:\Program Files\Conduit
    
    Registry::
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "C:\DOCUME~1\AHMETY~1\LOCALS~1\Temp\fkflbh.exe"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "kamsoft"=-
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "lsass driver"=-
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{baa93f5c-faaf-11d7-8849-000d877d6101}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79660eb0-dea3-11dd-8811-000d877d6101}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b6fa958-faa7-11d7-8832-000d877d6101}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{038cb5c7-48ea-4af9-94e0-a1646542e62b}]
    DOCTUS.ORG Turkish security forum

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •