Blog: Tidserv 64-Bit Goes Into Hiding

Backdoor.Tidserv first came to light in back in 2008 as a Trojan that uses an advanced rootkit to hide itself. Since then, Symantec has seen many changes to Tidserv and we have documented a number of the changes in our blog postings. Yesterday [Wednesday, August 25, 2010], Symantec came across a new sample of Tidserv that we have broken out detection for as Backdoor.Tidserv.L and Boot.Tidserv.

 

 

You can read the rest of this Blog here: Tidserv 64-bit Goes Into Hiding.

 

 

 

 

Quads has the installers, droppers, MBR's etc, though it is buggy as anything, if you have the debugger turned on Windows won't boot.

 

They must have got inspiration from the Whistler Bootkit, to use the MBR and be able to install on x64 systems getting around patchguard.

 

TDSSKiller etc are useless.

 

I did give a mention in this post to infecting x64 systems now http://community.norton.com/t5/Norton-360/Norton-360-and-Suspicious-Mystic/m-p/274100/highlight/true#M35675

 

Quads

http://www.symantec.com/connect/blogs/tidserv-s-boot-methods

 

A Emsisoft Malware Researcher was where I got my samples from also with a few extra files from others

 

"Regardless, it appears as though this could be an early version of the threat, given some quality issues that exist within the code"

 

Like I also said it's buggy as anything.

 

Quads

To get around the restriction of the direct disk access, The dropper uses the \Device\Harddisk*\Dr* device and rewrites the Master Boot Record  with the IOCTL_SCSI_PASS_THROUGH_DIRECT DeviceIoControl request, after this it sets the reboot flag at  ExitWindowsEx .

 

Though with the bugs in this, sometimes Windows doesn't want to load or takes a long time and there is a major bug with it if the debugger is turned on.

 

 

[main]

version=0.02

aid=[removed by Quads]

sid=0

rnd=[removed by Quads]

[inject]

*=cmd.dll

* (x64)=cmd64.dll

[cmd]

srv=[removed by Quads]

wsrv=[removed by Quads]

psrv=[removed by Quads]

version=0.11

[Rest removed by Quads]

 

I can imagine that the bugs will be ironed out by the creators

 

Microsoft may have found another indicator that this rootkit has been loaded on an infected system.

 


 If you did not have proactive detection in place, you can (currently) manually check to see if the bootkit is installed.  As a side effect of the bootkit, the Disk Management pane of the Computer Management console will fail to show the system drive altogether:
 
It will also fail to show up in the command line  using diskpart:

 

Note Screenshots above are from the Microsoft Blog site.

 

Norton does detect the files 

 

(Backdoor.Tidserv.L) detected by Auto-Protect,Quarantined,Resolved - 

 

c:\documents and settings\john\desktop\tdl3 bootkit\backs\drv64

File Actions

File: c:\documents and settings\john\desktop\tdl3 bootkit\backs\drv64

Removed

File: c:\documents and settings\john\desktop\tdl3 bootkit\set\mbr_tdl_files\dropper.exe

Removed

File: c:\documents and settings\john\desktop\tdl3 bootkit\set\mbr_tdl_files\drv64

Removed

 

c:\documents and settings\john\desktop\tdl3 bootkit\installer\tdlboot.exe

File Actions

File: c:\documents and settings\john\desktop\tdl3 bootkit\installer\tdlboot.exe

Removed

 

Quads

 

 

Hello quads - Just trying to gain understanding here, so a few questions please:

 

I guess the files shown in that location might get there in reality because someone was tricked tricked into downloading the bootkit? But are they only to do with installing the bootkit and wouldn't actually do (or have done) the harm without some more user interaction?

 

If that is the case, would the detection and blocking occur at the level when it actually tried to install and infect the MBR?

 

If the bootkit was actually installed, rather than waiting to be installed, wouldn't there be something else in the removal list shown that might refer to the MBR ...unless it wasn't (or couldn't be) detected/removed maybe?

 

If the situation has got as far as the MBR being infected (perhaps it can't install without the user doing something anyway), say between regular AV system scans, would it be beyond the capabilities of any security program to rectify matters?

Simple to answer all that, the locations is because I created backups of the malicious file including the dropper / installer in another location and dormant,  That way I can see if the files are detected by auto-protect or idle time scans.

a lot of the time once the dropper runs and infects the PC it self deletes, so I have backups.

 

I infected my PC on purpose I infect it with anything from the easy (for me) ones, though to TDL,  Virut.CF or Ramnit. it doesn't bother me.

 

Symantec has already stated the detection name Norton states if it detects the infected MBR.  Boot.Tidserv

 

Quads

 

 

Thank you Quads :smileyhappy:

Hitman Pro 3.5.6 build 112 BETA, Added removal of TDL3 64-bit rootkit,

Restores the MBR with the original apparently.

Unsure yet if that means if the PC in question uses a OEM version of MBR it restores that so it's still the OEM version the PC came with, so that the likes of Dell, HP, Acer...... PC's have Dell PC Restore, HP Restore, etc, will not function properly without their specific entries in the MBR Code

 

Also Latest TDSSKiller v2.4.1.3:

 

\HardDisk0\MBR - will be cured after reboot

Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure

 

 

Quads

TDL3 (+) is still being updated also with updated tdlcmd.dll (3.95) which is somehow able to hammer routers when the PC connected is infected.

 

I have not tested,  Quads is busy in the middle of an Earthquake zone with over 140 after shocks over 4 days, 

 

[main]
version=3.273
quote=Tempers are wearing thin. Let's hope some robot doesn't kill everybody
botid=74f8e63e-5915-4beb-a4e7-44bba20d02e1
affid= [Removed by Quads]
subid= [Removed by Quads]
installdate=7.9.2010 13:11:17
builddate=2.8.2010 10:23:9
rnd= [Removed by Quads]
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=[Removed by Quads]
wspservers=[Removed by Quads]
popupservers=[Removed by Quads]
version=3.95

 

Quads

 


Quads wrote:

Quads is busy in the middle of an Earthquake zone with over 140 after shocks over 4 days, 


Being a Southern Californian I have been through a few of these as well (the 7.3 Landers quake was the scariest).  It's amazing that now, within a minute or two of any quake, you can go online and see the epicenter and the magnitude.  What used to take hours to collate is now available to the public in real time, thanks to major instrumentation in seismic areas and the internet.

 

 

http://earthquake.usgs.gov/earthquakes/recenteqsww/

 

Hope you did not sustain any major damage, and that you and those you are close to came through everything OK.

 

 

http://www.geonet.org.nz/earthquake/drums/mqz-drum.html

 

Quads

Latest X64 update

 

[main]
version=0.03
aid=40124
sid=0
builddate=4096
rnd=179605362
[inject]
*=cmd.dll
[cmd]
srv=  [Removed By Quads]
wsrv=  [Removed By Quads]
psrv=  [Removed By Quads]
version=0.14

 

Quads

Boot.Tidserv, Tidserv.L  Bootkit

 

version 0.01, without x64 code (one dropper it seems), 
version 0.02 fully workable, (just few droppers)   buggy, can cause non booting XP
version 0.03 with changed infector (driver too), also few samples,   buggy, can cause non booting XP

 

Quads

The Tidserv Bootkit version 0.03 is now been seen together with rogues like Antivirus8  on infected machines.

 

Quads