Part of Speech Tagging & Hidden Markov Models Mitch Marcus CSE 391.
The hidden part of TDSS
description
Transcript of The hidden part of TDSS
![Page 1: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/1.jpg)
The hidden part of TDSS
Sergey (k1k) Golovanov, Malware Expert
Global Research and Analysis Team
Kaspersky Lab
![Page 2: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/2.jpg)
![Page 3: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/3.jpg)
Content
1. TDSS Overview 2. Reversing TDSS networking3. Analyzing p2p functionality 4. Monitoring active bot5. Getting CnC stats
![Page 4: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/4.jpg)
TDSS Overview
![Page 5: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/5.jpg)
Main modules
•MBR infector – bypass drivers digital signatures protection
•x64 rootkit – TDSS works on every modern Windows system
•Clicker – clicks banners and links
•Target on Black SEO – promoting web site via Google, Bing, Altavista and more
![Page 6: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/6.jpg)
Affiliate Network
• Two Affiliate Networks are spreading TDSS• 20 - 200 USD for 1 000 installs• Affiliates installs TDSS via SPAM, Worms, Exploits and etc.
![Page 7: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/7.jpg)
Malicious DHCP
![Page 8: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/8.jpg)
Boot
![Page 9: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/9.jpg)
Reversing TDSS networking.
![Page 10: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/10.jpg)
Client to Server
command|noname|30127|0|0.03|0.15|5.1 2600 SP2.0|en-us|iexplore|351|0 and Benchmark(20000000,md5(1))|1614895754
1. Original request
2. RC4 or its modification where Key is the targeted host name
ХЪ7U>tюjЇ\+_Э→/CИY>Kо↓н>4L•xoУч¶@_►F_M!аw♀:Ыp↔d;_fщ☻§ю¶♥0язl
3. BASE64
r1writ0aL0PIWZtL7hntuzRMB3hv0/cUQL4QRrxNIeB3
4EszDdXaN1U+dP5qr1writ0aL0PIWZtL7hntuzRMB3hv0/cUQL4QRrxNIeB3DDr
4. Additional trash
5. HTTPS
![Page 11: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/11.jpg)
Server to Client
1. Set Name parameter – additional unique key for RC4 or its modification
![Page 12: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/12.jpg)
ANALYZING P2P FUNCTIONALITY
![Page 13: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/13.jpg)
Analyzing p2p functionality
KAD.DLL algorithm:
1. Share encrypted file named as “ktzrules”2. Upload kad.dll on TDSS infected PCs3. Kad.dll loads public nodes.dat file with KAD Client/Servers IPs4. Kad.dll searchs for “ktzrules” file in public KAD network5. Kad.dll downloads “ktzrules” and executes commands
![Page 14: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/14.jpg)
Analyzing p2p functionality
KAD.DLL functions:
1. SearchCfg – find “ktzrules” file with commands
2. LoadExe – Find and download exe file from KAD
3. ConfigWrite – write in configuration file
4. Search – find specified file in KAD
5. Publish – publish specified file
6. Knock – download new nodes.dat file
Public KAD Net
Default nodes.dat.
TDSS KAD Net
Nodes.dat with Clean and Infected users IPs
![Page 15: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/15.jpg)
Monitoring active bot
![Page 16: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/16.jpg)
Installs and proxy
![Page 17: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/17.jpg)
Anti-Virus
•Gbot•ZeuS•Clishmic•Optima
Full list includes ~30 malware families name
![Page 18: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/18.jpg)
Getting CnC stats
![Page 19: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/19.jpg)
Getting CnC stats
60 proxy CnCs 3 MySQL DBs
5M infected PCs in 3 months
![Page 20: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/20.jpg)
Summary
•MBR infector – bypass drivers digital signatures protection•x64 rootkit – TDSS works on every modern Windows system•Clicker – click banners and links•Target on Black SEO – promoting web site via Google, Bing, Altavista and more
•P2P botnet – no servers, no centers, sophisticated crypto protection for command file in hidden KAD network. •Own AV – detects more then 30 malware families •Clients Proxy –additional anonymizer via infected PCs•5 millions infected computers
![Page 21: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/21.jpg)
http://www.facebook.com/KasperskyConferencehttp://www.kaspersky.com/educational-events
![Page 22: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/22.jpg)
Kaspersky Lab PowerPoint Template | 12 October 2010
![Page 23: The hidden part of TDSS](https://reader036.fdocuments.in/reader036/viewer/2022062520/568165d6550346895dd8e3aa/html5/thumbnails/23.jpg)
Thank You
Sergey (k1k) Golovanov, Malware Expert
Global Research and Analysis Team
Kaspersky Lab
Qu35t10n5?