TDSS Pretends to Be a TweetDeck Update

by Trend Micro Employee ‎09-13-2010 12:38 AM - edited ‎09-13-2010 09:42 PM

The Threat Defined

 

TDSS Targets TweetDeck Users

 

TDSS malware have been somewhat silently working in the background along with more prominent families until it inadvertently caused blue-screen-of-death (BSoD) errors on the systems of users who installed the Windows MS10-015 security patch this February. This even triggered Microsoft to release updates solely regarding the issue. In its recent attack, however, TDSS made a loud noise by targeting Twitter, one of the major players in today’s online computing scene.


Last August, developers of the popular Twitter application, TweetDeck, released a notification informing users of a new upgrade that will be made to their application to support Twitter’s new authentication protocols. Shortly thereafter, cybercriminals, particularly the group behind TDSS, got wind of the news and took it as an opportunity to spread their own malicious software. They released their own version of the said notification via Twitter.


Fake TweetDeck Update

 

TDSS variants may arrive through a variety of infection vectors, depending on the cybercriminals’ chosen approach and target. TDSS variants are most commonly downloaded from remote sites or by other malware. It may, however, also arrive bundled with malware packages as a component that conceals malicious routines on an affected system.


In this attack, cybercriminals used Twitter as infection launchpad. They spread malicious Tweets that contained a URL-shortened link to what was supposedly a TweetDeck installer called tweetdeck-08302010-update.exe. This installer, of course, is not an actual TweetDeck update but a TDSS variant detected as TROJ_TDSS.FAT.

 

324iFB89DD757FC580CB
Figure 1. Sample TweetDeck update spam


TDSS usually has various components with specific functions. Like previous generations, this new variant has three major components—the dropper/loader, the .DLL file, and the patched file. In this case, the downloaded fake installer acts as the loader. The loader is usually responsible for dropping other component files and creates corresponding registry entries to register its components as part of its installation. Once the installation is complete, it deletes the loader to remove traces of the malware.

 

Upon execution, the Trojan creates a copy of itself and changes the characteristics of the file it created to that of a .DLL file. This component is usually responsible for monitoring processes (usually associated with browsing) and download- or bot-operation-related payloads.


It then modifies files by patching a random .SYS file that enables it to automatically execute upon system startup. This patched .SYS file is detected as PE_TDSS.A. In general, this patched file is responsible for loading the malware whenever the system starts up. Its final payload is a backdoor routine that allows it to connect to certain sites to send and receive information.

 

326i8A31EEE875A15275
Figure 2. TROJ_TDSS.FAT infection diagram


TDSS Update

 

TDSS is known for its sophisticated way of avoiding detection by creating and reading files from a system’s memory. Aside from deleting related files to hide the infection, all of its processes are performed in different memory locations to confuse security analysts and to make it even more difficult for them to trace the malware infection.


The newest TDSS variants use a different approach to infect systems, as they try to cover every possible way of evading detection. Current variants have come up with a way of monitoring related processes and of preventing antivirus software and third-party tools from detecting their presence. This is done with the help of its dropped components, which may not be technically malicious but contain information that allows the malware to perform its malicious routines such as monitoring processes and a user’s Internet browsing activities.


User Risks and Exposure

 

With Twitter’s current population of 145 million registered users, cybercriminals are expected to continue taking advantage of the site’s popularity to spread their malicious codes. In this attack, cybercriminals took advantage of the huge user following for one of the top Twitter clients TweetDeck and the fact that concerned users will soon have to update their software, as Twitter is expected to pull out support for authentication protocols used by older TweetDeck versions.


Users who are unaware of this new malicious tactic may fall prey to a variety of malicious programs that TDSS may download and install onto their systems, specifically information-stealing programs and backdoors. It is especially difficult to get rid of TDSS infection due to the malware’s rootkit capability. In fact, traces of this malware can only be seen with the use of rootkit-scanning tools and antivirus programs.


Trend Micro Solutions and Recommendations

 

Trend Micro™ Smart Protection Network™ delivers security infrastructure that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network combines unique in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and automatically protect your information wherever you connect.


In this particular attack, Smart Protection Network’s Web reputation service blocks access to the malicious URLs and domains to which TROJ_TDSS.FAT connects. Malicious URLs and domains where copies of the TDSS variant can be downloaded are also blocked. Blocking these sites prevents TDSS from sending and receiving information to and from remote malicious sites. File reputation technology, on the other hand, detects and blocks the execution of the TDSS malware variant and its components on a user’s system.


Trend Micro also provides a fix tool that automatically removes TROJ_TDSS.FAT from an affected system.

 

The following post at the TrendLabs Malware Blog discusses this threat:
http://blog.trendmicro.com/tdss-pretending-to-be-tweetdeck-update/

 

The virus reports are found here:
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_TDSS.FAT

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_TDSS.A

 

Other related posts are found here:
http://blog.trendmicro.com/windows-update-triggers-bsod-errors/

http://threatinfo.trendmicro.com/vinfo/articles/securityarticles.asp?xmlfile=111209-TDSS.xml

http://support.tweetdeck.com/entries/249941-do-not-download-fake-tweetdeck-update-appearing-on-twitt...

http://www.pcworld.com/businesscenter/article/204507/scam_preys_on_required_tweetdeck_update.html

http://www.sfgate.com/cgi-bin/article.cgi?f=%2Fc%2Fa%2F2010%2F09%2F03%2FBUHI1F8DED.DTL#ixzz0yamqsPqR

http://www.twitstat.com/twitterclientusers.html

Comments
by on ‎09-13-2010 08:21 PM

When trying to run the fix tool, I get an error that "SSAPIPTN.DA5 is missing. Why don't you include that pattern file?

by on ‎09-20-2010 10:17 AM

TrendLabs QA responds:.    "We are working on an enhanced fixtool for PE_TDSS.A.  We will add dummy DA5 on this fixtool and replace the one mentioned [here]."