Posted 02 September 2011 - 04:43 PM
I am a TDSS "sufferer" (not suffering too much, I needed to do a clean reinstall anyway as it has been a while), who has some sort-of antimalware responsibilities at work but is far from a professional. Looking around as much because I'm curious about TDSS as because I need help, although I intend to "play with" TDSS a bit on my system while it is offline and disconnected from peripherals, because I'm interested and want to generate some logs about the particular variety I have.
Interesting points so far:
-Acquired via DHCP/DNS fake on my network. Fake Firefox upgrade (yes, I'm a dummy, but there were no spelling errors! And they used the right colors!).
-Infection changes where DNS points to both on my network and elsewhere. Including to a 10.*.*.* destination - this is when I knew something was wrong.
-Part of the active portion appears to run in a svchost.exe with a 127.0.0.1 thread.
-Infection diagnosed by my network admin (thank you!) who probably saw my box pop up with a fake DHCP server just like the one I visited elsewhere on the network.