TDSS is spreading at an alarming rate. And the owners or controllers of that botnet it creates fight an impressive chess game with it. Im going to keep this as short and concentrated as possible...as otherwise I would have to write 50 pages to effectively convey everything needed to be said.
Take what I say and add water, several gallons, to decompress the message and behold its true volume...<br><br>
Ive battled exploits of all flavors for the last 10 years in impressive volume in my field. And I carefully study the mechanics and motivations behind them as well. I dont just aim for the paycheck, I take it personally, as I see this as a truly serious problem and one we are rapidly falling behind on. With that said, my latest assessment of TDSS and or its equivalant related cousins, is that nearly 1/3 of all computers (probably more like half, but that sounds impossible to those who dont see enough computers weekly to know the ratio) have the rootkit, or have the configurations and modifications it does. Now Ive shot off the ratio I beleive is real, let me update those few brave and intelligent souls who actually care to follow the progress of this rootkit.
TDSS has the ability to not only hide itself and other associated allied bugs and tools all over the disks and their MBR's ... it has the capability to write itself to any and all available EEPROMS, (or BIOS chips)
<br> This said, until now Ive not actually seen this personally until yesterday. I got a live one. Let me describe its effects so you can update your understanding of how serious this game is. A machine came to me testing positive for TDL-4. It was removed, and then subsequent forensics revealed modifications to the MBR, and anomallies in run-time memory structure. I ignored the later while focusing on the MBR situation. Based on gut feeling (pages of info most dont want to hear or cant understand) I cut to the chase and simply pulled the drive, and went with a new replacement. It was a 64 bit machine, so I opted for a 64 bit OS, and customer agreed. With that deal sold, I proceeded with install, and it went with out hitch (I thought) until the final set up phases. Running slower than a union thug overdosing on sleeping pills, I noticed the Proc usage at 100%...never comming down, not one bit, to even 99%...I assumed (never assume anything) maybe RAM errors or driver conflicts / missing or wrong drivers / misconfigurations ... everything very carefully considered...no tail chasing, no guessing. Considered thermal issues and reseated heatsinks on proc and chipsets , properly. Resorted to careful and intelligent "swap-tronics" on perripherals...(video adapter, RAM modules, CD drives, and turning off all but essential components at board level. Nothing worked. THe union dude running things was falling asleep...It was getting worse...Mind you, all this time there was NO network interface connection, so nothing was going on RPC wise. I knew to keep that isolated early on. I was starting to suspect what I only had seen in white papers, and my gut was getting tight and I felt sick. At the same time my intrest was growing slowly , building to this odd excitement. The kind of excitement a fire fighter might experience when realizing that abandoned burning building they just put out contains 48 bodies of women and children buried in the ashes he just walked over. <br>
So, I obtained and re-flashed the BIOS. Stuff changed, the errors changed, it felt different, just worse...and slower. I tried (carefully, very thoughtfully too) several revisions of BIOS, to no avail. Reinstalling the OS the 2nd time revealed errors right from the start in the form of un randomly unreadable files from the CD. I used a proven clean and perfect drive as the installer drive the 3rd round. More errors, more intense, more variety. Differnt (brand new, top quality) RAM, Differnt OS disks (brand new, I unpackaged), differnt OS types even. Went from Win-7 64bit, to Vista ultimate 64 bit, Win XP 32 bit. Nothing but complete chaos, chaos I say due to the puzzling variety of seemingly random un-correlating errors and symtoms. It was like a haunted house...one in a really bad dream where you pee the bed. I literally began to think I was not really awake. So finally I concluded that the worst scenario, TDSS had either written to or corrupted the EEPROM on the board, was indeed the reality in front of me. I wanted to take the board and send it to symantec with my own written account, in hopes of helping the global effort against these kinds of things. I still might...after I dig it up from the 4 foot deep (unmarked and very remote)grave I buried it in.
As a matter of fact, since my shop is basicly for electronic engineering and well equipped, I even made a flash copy of the removable "QFP" (quad-flat-package / "pins on all 4 sides") packaged EEPROM to an archive disk for future possible forensic inspection. Im taking this pretty seriously.
Upon replacing the board, I noticed 3 of the electrolytic capacitors had "popped tops" ... now let me state clearly, I do carefully look at ALL caps upon initial inspection, and I inspect all boards on ALL jobs before any work, period. Im very serious about that. THis board had no bad caps at first. Im absolutely sure of this. These capacitors boiled up and out-gassed during this repair, and it wasnt from bad configurations. I made sure no configs from the re-flashes set anything aggressively or overclocked. All settings flashed were conservative-to-retarded (low drive).
So to my best assessment I really think that this variant of TDSS or whatever component it installed had a self-destruct instruction, so when you try to "disarm" it simply creates an instruction loop and burns up whatever it can, in a selfish fit. The extreme proc usage (stuck at 100%) was actually the thing performing the self destruct loop. Imagine the mentality of its author. What a brat bleep. I guess its a case of "I worked hard to steal this, and if I cant have it, Im gonna break it so no one else can have it. "
Now Im not just freaking out over the loss of this singular board, or my time shot troubleshooting...no, this is serious. THis raises the bar considerably. If it proves to contain a self destruct clause, that copy of the recovered PROM will be prolific. Its not the self destructing Im pointing out, its the nature of the capabilities, and the complete intensity of its determination. Had it not been for the self destruct loop, and my intention to replace board anyway before realizing this, lesser techs would have returned that unit and its infection to service, continuing its life and its spread -ad nauseum.
THe moral and the take away here, my fellow technicians (those who actually care about this fight we are losing) is that official estimations lag behind reality, and the determination of techs in the field to not only identify these bugs but to understand them and take the fight to a higher level is weak at best. Im afraid we are the few, and it will take the majority of all IT / IS techs to fight this battle and win. I dont see that happening. The forest is on fire, and there will be no one to put it out. This wont even be mentioned in news articles until AFTER the internet crashes from the load of infected and vulnerable machines working it. As a side note, to put perspective on it, I verified that even mainstream web servers, Yahoo to name one owner, have been spreading TDSS variants randomly. I would like to do onsite inspection of server farms like "the planet" and others for accurate estimate. I doubt I would get clearance to do that. And if I presented the facts found (if positive and confirmed) to authorities and media, I think they would cover it up like a UFO sighting. Too much money to lose. They rather drive the whole thing into the dirt to get maximum profit instead of losing a dollar of stock value. Wall street fears this kind of thing. We are in for a bumpy ride Im afraid...be vigillant, and fight the good fight my friends. By the time any sizable number at all adjust their knowlege and techniques to this evolved threat, it will have advanced itself beyond the reach of crazed hunter academics like me, I fear. <br>
Thank you for taking the time to consider what I write. At least I tried.
Edited by circuitburner, 29 January 2011 - 12:34 PM.