bydetcaraig09-13-201012:38 AM - edited 09-13-201009:42 PM
The Threat Defined
TDSS Targets TweetDeck Users
TDSS malware have been somewhat silently working in the background along with more prominent families until it inadvertently caused blue-screen-of-death (BSoD) errors on the systems of users who installed the WindowsMS10-015 security patch this February. This even triggered Microsoft to release updates solely regarding the issue. In its recent attack, however, TDSS made a loud noise by targeting Twitter, one of the major players in today’s online computing scene.
Last August, developers of the popular Twitter application, TweetDeck, released a notification informing users of a new upgrade that will be made to their application to support Twitter’s new authentication protocols. Shortly thereafter, cybercriminals, particularly the group behind TDSS, got wind of the news and took it as an opportunity to spread their own malicious software. They released their own version of the said notification via Twitter.
Fake TweetDeck Update
TDSS variants may arrive through a variety of infection vectors, depending on the cybercriminals’ chosen approach and target. TDSS variants are most commonly downloaded from remote sites or by other malware. It may, however, also arrive bundled with malware packages as a component that conceals malicious routines on an affected system.
In this attack, cybercriminals used Twitter as infection launchpad. They spread malicious Tweets that contained a URL-shortened link to what was supposedly a TweetDeck installer called tweetdeck-08302010-update.exe. This installer, of course, is not an actual TweetDeck update but a TDSS variant detected as TROJ_TDSS.FAT.
Figure 1. Sample TweetDeck update spam
TDSS usually has various components with specific functions. Like previous generations, this new variant has three major components—the dropper/loader, the .DLL file, and the patched file. In this case, the downloaded fake installer acts as the loader. The loader is usually responsible for dropping other component files and creates corresponding registry entries to register its components as part of its installation. Once the installation is complete, it deletes the loader to remove traces of the malware.
Upon execution, the Trojan creates a copy of itself and changes the characteristics of the file it created to that of a .DLL file. This component is usually responsible for monitoring processes (usually associated with browsing) and download- or bot-operation-related payloads.
It then modifies files by patching a random .SYS file that enables it to automatically execute upon system startup. This patched .SYS file is detected as PE_TDSS.A. In general, this patched file is responsible for loading the malware whenever the system starts up. Its final payload is a backdoor routine that allows it to connect to certain sites to send and receive information.
Figure 2. TROJ_TDSS.FAT infection diagram
TDSS is known for its sophisticated way of avoiding detection by creating and reading files from a system’s memory. Aside from deleting related files to hide the infection, all of its processes are performed in different memory locations to confuse security analysts and to make it even more difficult for them to trace the malware infection.
The newest TDSS variants use a different approach to infect systems, as they try to cover every possible way of evading detection. Current variants have come up with a way of monitoring related processes and of preventing antivirus software and third-party tools from detecting their presence. This is done with the help of its dropped components, which may not be technically malicious but contain information that allows the malware to perform its malicious routines such as monitoring processes and a user’s Internet browsing activities.
User Risks and Exposure
With Twitter’s current population of 145 million registered users, cybercriminals are expected to continue taking advantage of the site’s popularity to spread their malicious codes. In this attack, cybercriminals took advantage of the huge user following for one of the top Twitter clientsTweetDeck and the fact that concerned users will soon have to update their software, as Twitter is expected to pull out support for authentication protocols used by older TweetDeck versions.
Users who are unaware of this new malicious tactic may fall prey to a variety of malicious programs that TDSS may download and install onto their systems, specifically information-stealing programs and backdoors. It is especially difficult to get rid of TDSS infection due to the malware’s rootkit capability. In fact, traces of this malware can only be seen with the use of rootkit-scanning tools and antivirus programs.
Trend Micro Solutions and Recommendations
Trend Micro™ Smart Protection Network™ delivers security infrastructure that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network combines unique in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and automatically protect your information wherever you connect.
In this particular attack, Smart Protection Network’s Web reputation service blocks access to the malicious URLs and domains to which TROJ_TDSS.FAT connects. Malicious URLs and domains where copies of the TDSS variant can be downloaded are also blocked. Blocking these sites prevents TDSS from sending and receiving information to and from remote malicious sites. File reputation technology, on the other hand, detects and blocks the execution of the TDSS malware variant and its components on a user’s system.
Trend Micro also provides a fix tool that automatically removes TROJ_TDSS.FAT from an affected system.