HTTPS TidServ

I am a 20+ year veteran of dealing with viruses/malware/spyware, and various trojans, and this is the first one to catch my attention as being really hard to cope with.

 

As Symantec has named it: HTTPS TidServ C&C Domain Request 

 

One of my systems was infected with this trojan and I wanted to share some of my findings regarding how I had to deal with it.

 

First off I knew I had this infection from 2 explicit symptoms:

 

Symptom 1:

 

Every 30 minutes NIS2009 Intrusion Detection was notifying me that computer a57990057.cn was attacking my system local file .../SYSTEM32/SVCHOST.exe.  The attack notification intervals were exactly 30 minutes becuse that is the time I have the Intrusion Auto Block set for- which means the actual attacks were occuring more frequently. NIS identifes this intrusion as having a signature matching the one they have named HTTPS TidServ C&C Domain Request.

 

Given that my system has a host firewall running and that I am also behind a network firewall, it is clear that my system is initiating the communication to the foreign host so that it can send the attack (the signature which NIS identifies) or else the firewall would just be dropping the packets.  This is the nature of backdoor trojans and how they get around firewalls.

 

System 2:

 

When using Internet Explorer to perform search queries, as from google.com for example, from this infected host, the browser was constantly being redirected to various fake Spyware/Malware sites.

 

This is not an uncommon symptom in the world of trojans and hijackers, but what is not common at all about this trojan is how well it hides its infection and entry point.

 

What I tried ...

I started off with the basics.

I booted a ghost recovery live cd and scanned for viruses using the latest symantec virus scanner tool and no infections were found.

I made sure my NIS2009 was fully up to date and it was and so i did a full system scan and no infections were found.

I performed a full system scan using Malware Bytes anti-Malware and no infections were found.

I performed a full scan using Spybot Search and Destroy, Avast Antivirus, and SUPERAntiSpyware and no infections were found.

 

Ok, so the basics were not helpful here.

 

I then consulted this Symantec Site:

This trojan is also mentioned here: http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23576 

which suggests this course of action:

 

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).

2. Update the virus definitions.

3. Run a full system scan.

4. Delete any values added to the registry. 

 

 I did all of these things. The system scan revealed no results and no registry keys or values were identied as being the cause of infection or related to the cause for infection.

 

I want to point out, that I believe the above course of action could not possibly work for this trojan for a couple reasons.

 

First off, this trojan is behaving as if it were a rootkit.  Clearly the host is infected by its symptoms, yet it is behaving in an undetectable mannor.

 

I believe it is a rootkit because in safe mode, symptom 2 does not occur, which tells me that the trojan is possibly executing as a kernel module or service, which means that if the driver or service does not load, then the attacks can not occur.

 

I then proceeded to use various anti-rootkit identification tools and utilities.

A few I have tried and am still working with are: avast, gmer, sophos, trendmicro, and sysinternal's rootkit revealer.

 

The automated tools identified no rootkits, as far as gmer and rootkit revealer, neither are finding hidden drivers or servies, but there are many "hits" being listed as unknown so Im faced with quite a bit of reasearch.

 

This trojan is also mentioned in a Norton 360 thread: http://community.norton.com/norton/board/message?board.id=Norton_360&message.id=24992&query.id=1251413#M24992

 

I spent quite a bit of time on those forums listed in the above thread and not one post outlines a definitive procedure of disinfecting a system with this specific trojan.  Given that this trojan is probably a rootkit and given what is generally known about rootkits, it may be possible that once infected that a concise disinfection is not even possible.  There seem to be many variants of this trojan, and I have searched the registry and filesystem for matches suggested to be looked for but nothing is showing on this infected host.

 

After 2 days of fingerprinting various driver files and services against the windows xp service pack 3 cd I concluded that rolling back to a previous ghost image is the only known way to correct this problem in a reasonable amount of time.  I backed documents to a flash drive and ghost imaged the infected host so I can go back to it when I feel like doing more analysis.

 

Rolling back to an image did seem to work.  Neither symptom is present now, but given the short period of time Symantec has published protection of this attack signature in their products (december 17th, 2009), I would venture to guess that a good deal of time is going to pass before there is a point and click cure for this thing- assuming there is ever going to be one.

 

The thing that has me concerned here is when and how was the system infected?  The fact that NIS and nobody else's preventative measures seem to be able to stop the infection before it becomes a matched intrusion signature is really bad.

 

Microsoft's Malicious Software Removal Tool doesn't identify this one yet either.

 

If anybody can add to this thread towards a solution, it would be appreciated, but if you're going to post lists of utilities to try and poorly written procedures to try without any explanation as to why they might have success with this particular trojan, then don't bother. There is plenty of that on the Internet already.

 

In the meantime, I suggest you all backup your data and stand ready.

 

Regards,

Charles