Rustock Rootkit Variants and TDSServ Kit

Analysis Content: Rustock Rootkit Variants and TDSServ Kit
Released: 21.12.2008
Author of Analysis: Robert (robert@novirusthanks.org)
Sample submitted by: Steve (steve@novirusthanks.org)
Thanks to: Fyyre (www.fyyre.net)
Website: http://www.novirusthanks.org

Today we will analyze another rustock rootkit variant and the famous TDSServ Kit.

Rustock Rootkit Part

Files analyzed:

After the execution of the file rus.exe these new files were dropped in the system:

C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\dllcache\beep.sys.new
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\33ffd873.sys

It looks like the common rustock trick infecting the file beep.sys and copying it under C:\WINDOWS\system32\dllcache\ and after, renaming the file in beep.sys. The real rootkit driver is 33ffd873.sys and below there is the scan report:

Filename: 33ffd873.sys
File size: 92 KB
MD5 Hash: 3A60061C7AB4BCC8A0948FCED7ED8018
SHA1 Hash: 6FA1732658A6CEF329B3E4B253D2083E58A3F994
Application Type: Executable (EXE) 32bit
Detection Rate: 12 on 24

Antivirus Result
a-squared Backdoor.Winnt!IK
Avira AntiVir TR/Rootkit.Gen
Avast Win32:Rootkit-gen [Rtk]
AVG BackDoor.Generic10.AEFE
BitDefender Backdoor.Rustock.NET
G DATA Win32:Rootkit-gen [Rtk] B
IkarusT3 Backdoor.Winnt
McAfee Generic BackDoor trojan
NOD32 v3 Win32/Rustock.NGG
Norman Trojan W32/Rootkit.AAFD
Sophos Mal/Generic-A
VBA32 Malware-Cryptor.Win32.General.3

SSDT hooks:

  • NtCreateEvent
  • NtCreateKey
  • NtOpenKey

Code hook:

From images below we can see that the beep.sys installed hooks in:

  • Ntfs.sys
  • Tcpip.sys


And in the image below I used NIAPAntiRootkitTools to detect FSD Dispatch Hooks and SystemCallbacks installed by the file beep.sys:

TDSServ Kit part

Fyyre has unpacked the TDSServ files ,analyzed the hook procedures:

.data:1000BDB8  00000032 C \\\\?\\globalroot\\systemroot\\system32TDSSservers.dat
.data:1000BDEC  0000002D C hxxp://findxproportal1.com/tdss2/crcmds/main
.data:1000BE1C  0000002B C hxxp://stableclickz1.com/tdss2/crcmds/main
.data:1000BE48  00000029 C hxxp://updatemics1.com/tdss2/crcmds/main
.data:1000BE74  0000002D C hxxp://findsproportal1.com/tdss2/crcmds/main
.data:1000BEA4  0000002D C hxxp://findzproportal1.com/tdss2/crcmds/main
.data:1000BED4  00000027 C hxxp://91.203.92.121/tdss2/crcmds/main
.data:1000BEFC  00000028 C hxxp://younewsblog.net/tdss/crcmds/main
.data:1000BF24  00000029 C hxxp://yournewsblog.net/tdss/crcmds/main
.data:1000BF50  00000029 C hxxp://yourblognews.net/tdss/crcmds/main
.data:1000BF7C  00000028 C hxxp://youblognews.net/tdss/crcmds/main
.data:1000BFA4  00000025 C hxxp://web1inst.com/tdss/crcmds/main
.data:1000BFCC  00000025 C hxxp://web2inst.com/tdss/crcmds/main
.data:1000BFF4  00000025 C hxxp://web3inst.com/tdss/crcmds/main
.data:1000C01C  00000025 C hxxp://web4inst.com/tdss/crcmds/main

Running the .exe goes through a long unpacking process – which dumps .tmp into %USERPROFILE%\Temp – installs a service, then starts the service – which loads a driver (TDSServ.sys) installs the following kernel mode hooks:

IofCallDriver -->>
E1A58E3A: E973E157D8                                  jmp B9FD6FB2h
 
NtEnumerateKey -->>
E10A05D4: E9F971F3D8                                  jmp B9FD77D2h
 
NtFlushInstructionCache -->>
E118FFDC: E9177BE4D8                                  jmp B9FD7AF8h
 
IofCompleteRequest -->>
B9FD76BB: 55                                                  push ebp
B9FD76BC: 8BEC                                              mov ebp, esp
B9FD76BE: 81EC28020000                              sub esp, 00000228h
B9FD76C4: 53                                                  push ebx
B9FD76C5: 8BD9                                              mov ebx, ecx
B9FD76C7: 837B1800                                      cmp [ebx+18h], 00000000h
B9FD76CB: 8855FC                                          mov [ebp-04h], dl
B9FD76CE: 0F8CF0000000                              jl B9FD77C4h
B9FD76D4: 56                                                  push esi
B9FD76D5: 57                                                  push edi
B9FD76D6: 8B7B60                                          mov edi, [ebx+60h]
B9FD76D9: 8B7714                                          mov esi, [edi+14h]
B9FD76DC: 85F6                                              test esi, esi
B9FD76DE: 0F84DE000000                              jz B9FD77C2h
B9FD76E4: F6461C40                                      test byte ptr [esi+1Ch], 40h
B9FD76E8: 0F85AD000000                              jnz B9FD779Bh
B9FD76EE: 8B4608                                          mov eax, [esi+08h]
B9FD76F1: 3B05940EFEB9                              cmp eax, [B9FE0E94h]
B9FD76F7: 740C                                              jz B9FD7705h
B9FD76F9: 3B05700EFEB9                              cmp eax, [B9FE0E70h]
B9FD76FF: 0F8596000000                              jnz B9FD779Bh
B9FD7705: E889F4FFFF                                  call B9FD6B93h
B9FD770A: 803F0C                                          cmp byte ptr [edi], 0Ch
B9FD770D: 750C                                              jnz B9FD771Bh
B9FD770F: 807F0101                                      cmp byte ptr [edi+01h], 01h
B9FD7713: 7506                                              jnz B9FD771Bh
B9FD7715: 53                                                  push ebx
B9FD7716: E84FFAFFFF                                  call B9FD716Ah
B9FD771B: 803F00                                          cmp byte ptr [edi], 00h
B9FD771E: 757B                                              jnz B9FD779Bh
B9FD7720: 66F7470800207473                      test word ptr [edi+08h], 73742000h
B9FD7728: 8D45E8                                          lea eax, [ebp-18h]
B9FD772B: 50                                                  push eax
B9FD772C: 8D85D8FDFFFF                              lea eax, [ebp-00000228h]
B9FD7732: 50                                                  push eax
B9FD7733: 6810020000                                  push 00000210h
B9FD7738: 6A09                                              push 00000009h
B9FD773A: FF7718                                          push [edi+18h]
B9FD773D: FF152890FDB9                              call [B9FD9028h]
B9FD7743: 85C0                                              test eax, eax
B9FD7745: 7C54                                              jl B9FD779Bh
B9FD7747: 8B85D8FDFFFF                              mov eax, [ebp-00000228h]
B9FD774D: 668945F4                                      mov [ebp-0Ch], ax
B9FD7751: 668945F6                                      mov [ebp-0Ah], ax
B9FD7755: 6A00                                              push 00000000h
B9FD7757: 8D85DCFDFFFF                              lea eax, [ebp-00000224h]
B9FD775D: 8945F8                                          mov [ebp-08h], eax
B9FD7760: 6A01                                              push 00000001h
B9FD7762: 8D45F4                                          lea eax, [ebp-0Ch]
B9FD7765: 50                                                  push eax
B9FD7766: 8D45EC                                          lea eax, [ebp-14h]
B9FD7769: 50                                                  push eax
B9FD776A: 66C745EC0E00                              mov word ptr [ebp-14h], 000Eh
B9FD7770: 66C745EE1000                              mov word ptr [ebp-12h], 0010h
B9FD7776: C745F03095FDB9                          mov [ebp-10h], B9FD9530h
B9FD777D: FF150490FDB9                              call [B9FD9004h]

Scan report:

Filename: TDSSERV_DMP.SYS
File size: 68 KB
MD5 Hash: FBDD5411951E9055F06509E8707BC17A
SHA1 Hash: 3E0D8D8AE65428CF767A0C5EF604A14F7AFFA6BB
Application Type: Dinamyc Link Library (DLL) 32bit
Detection Rate: 7 on 24

Antivirus Result
a-squared Virus.Win32.DNSChanger.VJ!IK
Avira AntiVir TR/Agent.8704.76
Avast Win32:Fasec [Trj]
G DATA Win32:DNSChanger-VJ [Trj] B
IkarusT3 Virus.Win32.DNSChanger.VJ
Kaspersky HEUR:Trojan.Win32.Generic
VBA32 Embedded.Win32.Agent.ODG

Now lets see some interesting text extracted from the file named TDSServ.sys:

%.*S
TDSS
%s%s%s
\systemroot\system32\drivers\TDSSserv.sys
\systemroot\system32\TDSSl.dll
file system
\\?\globalroot
svchost.exe
TDSSl.dll
chkdsk.exe
System
TDL2 Loaded
flcquhrm.dll
Xsaergwivo
lJBuEx
NTOSKRNL.EXE
CcRepinBcb
ZwCreateFile
ExFreePool
HAL.DLL
HalGetAdapter
KeLowerIrql
\registry\machine\system\currentcontrolset\services\TDSSserv.sys\modules
\registry\machine\system\currentcontrolset\services\TDSSserv.sys
start
type
mgroup
imagepath
TDSS
\registry\machine\software\TDSS\injector
*\KERNEL32.DLL
*\NTDLL.DLL
\registry\machine\software\TDSS\disallowed
\registry\machine\software\TDSS\trusted
\registry\machine\software\TDSS\connections
\FileSystem\FltMgr
*\TDSS*
*\TEMP\TDSS*
\filesystem\fastfat
\filesystem\ntfs
\driver\tcpip
\driver\ftdisk
\driver\volsnap
svchost.exe
ntdll.dll
kernel32.dll

Now lets look the file named TDSSl.dll:

Filename: TDSSl.dll
File size: 21 KB
MD5 Hash: 3989FBBFDE71E212611E362E0180C087
SHA1 Hash: 4321B846840D14F706A0B6D7A2AD399F665854D2
Application Type: Dinamyc Link Library (DLL) 32bit
Detection Rate: 6 on 24

Antivirus Result
a-squared Virus.Win32.DNSChanger.VJ!IK
Avira AntiVir TR/Agent.8704.76
Avast Win32:DNSChanger-VJ [Trj]
F-PROT 6 W32/Damaged_File.gen!Eldorado
G DATA Win32:DNSChanger-VJ [Trj] B
IkarusT3 Virus.Win32.DNSChanger.VJ

Interesting text extracted from the code:

%.*S
%s%s%x.tmp
id=%s
%s=%u.%u.%u.%u
TDSS
Update
error while reading %s
TDSSerrors.log
%[^.].%[^(](%[^)])
%s/%s
winsta0
Impersonating as HWND 0x%x (0x%x)
\\?\globalroot\systemroot\system32TDSSservers.dat
hxxp://findxproportal1.com/tdss2/crcmds/main
hxxp://stableclickz1.com/tdss2/crcmds/main
hxxp://updatemics1.com/tdss2/crcmds/main
hxxp://findsproportal1.com/tdss2/crcmds/main
hxxp://findzproportal1.com/tdss2/crcmds/main
hxxp://91.203.92.121/tdss2/crcmds/main
hxxp://younewsblog.net/tdss/crcmds/main
hxxp://yournewsblog.net/tdss/crcmds/main
hxxp://yourblognews.net/tdss/crcmds/main
hxxp://youblognews.net/tdss/crcmds/main
hxxp://web1inst.com/tdss/crcmds/main
hxxp://web2inst.com/tdss/crcmds/main
hxxp://web3inst.com/tdss/crcmds/main
hxxp://web4inst.com/tdss/crcmds/main
\\?\globalroot\systemroot\system32\drivers\TDSSserv.sys
%*x %255s
%s?id=%s&new=%s
%x OK
%s (%d)
file=%s&address=0x%xI=%s&code=0x%x&info=%s&id=%s
\\?\globalroot\systemroot\system32\TDSSl.dll
\\?\globalroot\systemroot\system32
%s\%s
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
POST
Content-Type: application/x-www-form-urlencoded
4: download %s error: 0x%x (0x%x - %s)
file downloaded ok
\\?\globalroot
tdll.dll
CheckValue
CmdExec
CmdExecAffID
CmdExecBotID
CmdExecBuild
CmdExecSubID
CmdExecType
CmdExecVersion
CopyAffID
CopySubID
CryptKeySet
FileDownload
FileDownloadRandom
FileDownloadRandomUnxor
FileDownloadUnxor
ImpersonateAsInput
Knock
ModuleDownload
ModuleDownloadUnxor
ModuleLoad
ModuleUnload
ModulesVersionLog
SetCmdDelay
SetInputDesktop
SetLoadedURL
SetTimeout
software\microsoft\internet explorer\main\featurecontrol\feature_enable_ie_compression
loaded_url
\registry\machine\software\TDSS
timeout
cmddelay
\registry\machine\software\TDSS\versions
build
type
affid
subid
\registry\machine\software\microsoft\windows nt\currentversion\tdssdata
serversdown
\registry\machine\software\TDSS\connections
\registry\machine\software\TDSS\disallowed
\registry\machine\software\TDSS\injector
\registry\machine\system\currentcontrolset\services\TDSSserv.sys\Enum
\registry\machine
\system\currentcontrolset\services\TDSSserv.sys
\device\namedpipe\TDSScmd
\TdlStartMutex
TDSS

Note that from previous extracted text we can see also some parts that should be the Bot Commands (CMD stand for COMMAND and AffID should stand for AffiliateID):

CmdExec
CmdExecAffID
CmdExecBotID
CmdExecBuild
CmdExecSubID
CmdExecType
CmdExecVersion
CopyAffID
CopySubID
CryptKeySet
FileDownload
FileDownloadRandom
FileDownloadRandomUnxor
FileDownloadUnxor
ImpersonateAsInput
Knock
ModuleDownload
ModuleDownloadUnxor
ModuleLoad
ModuleUnload
ModulesVersionLog

We can see the possible HTTP GET queries that the malware will send to the webpages:

%s?id=%s&new=%s&file=%s&address=0x%xI=%s&code=0x%x&info=%s&id=%s

And below there is the TDSS.exe dumped by Fyyre:

Filename: TDSS_DMP.ppp
File size: 240 KB
MD5 Hash: AE9B3C7031D209DA77E7FC95764C212A
SHA1 Hash: F34044472E4DBDF12680729C19A8B470C47259E0
Application Type: Executable (EXE) 32bit
Detection Rate: 7 on 24

Antivirus Result
a-squared Virus.Win32.DNSChanger.VJ!IK
Avira AntiVir TR/Agent.8704.76
Avast Win32:DNSChanger-VJ [Trj]
BitDefender Trojan.FakeAlert.ANM
Dr.Web BackDoor.Tdss.30
G DATA Win32:DNSChanger-VJ [Trj] B
IkarusT3 Virus.Win32.DNSChanger.VJ

Interesting text extracted:

.tdl
ntdll.dll
TDSS
test
TDSS
.tdl
TDSS
\\?\globalroot\systemroot\system32\advapi32.dll
\\?\globalroot\systemroot\system32\advapi32.dll
msiserver
|iDH
\TdlStartMutex
\device\namedpipe\TDSScmd
\knowndlls\dll.dll
l\TDKD
\knowndlls\advapi32.dll

Random Posts

Previous Posts