Presentation is loading. Please wait.

Presentation is loading. Please wait.

The hidden part of TDSS Sergey (k1k) Golovanov, Malware Expert Global Research and Analysis Team Kaspersky Lab.

Published byCharlotte Patrick Modified over 9 years ago

Similar presentations

Presentation on theme: "The hidden part of TDSS Sergey (k1k) Golovanov, Malware Expert Global Research and Analysis Team Kaspersky Lab."— Presentation transcript:

1 The hidden part of TDSS Sergey (k1k) Golovanov, Malware Expert Global Research and Analysis Team Kaspersky Lab

2

3 Content 1.TDSS Overview 2.Reversing TDSS networking 3.Analyzing p2p functionality 4.Monitoring active bot 5.Getting CnC stats

4 TDSS Overview

5 Main modules MBR infector – bypass drivers digital signatures protection x64 rootkit – TDSS works on every modern Windows system Clicker – clicks banners and links Target on Black SEO – promoting web site via Google, Bing, Altavista and more

6 Affiliate Network Two Affiliate Networks are spreading TDSS 20 - 200 USD for 1 000 installs Affiliates installs TDSS via SPAM, Worms, Exploits and etc.

7 Malicious DHCP

8 Boot

9 Reversing TDSS networking.

10 Client to Server command|noname|30127|0|0.03|0.15|5.1 2600 SP2.0|en-us|iexplore|351|0 and Benchmark(20000000,md5(1))|1614895754 1. Original request 2. RC4 or its modification where Key is the targeted host name ХЪ7U>tюjЇ\+_Э→/CИY>Kо↓н>4LxoУч¶@_►F_M!аw♀:Ыp↔d;_fщ☻§ю¶♥0язl 3. BASE64 r1writ0aL0PIWZtL7hntuzRMB3hv0/cUQL4QRrxNIeB3 4EszDdXaN1U+dP5qr1writ0aL0PIWZtL7hntuzRMB3hv0/cUQL4QRrxNIeB3DDr 4. Additional trash 5. HTTPS

11 Server to Client 1. Set Name parameter – additional unique key for RC4 or its modification

12 ANALYZING P2P FUNCTIONALITY

13 Analyzing p2p functionality KAD.DLL algorithm: 1.Share encrypted file named as “ktzrules” 2.Upload kad.dll on TDSS infected PCs 3.Kad.dll loads public nodes.dat file with KAD Client/Servers IPs 4.Kad.dll searchs for “ktzrules” file in public KAD network 5.Kad.dll downloads “ktzrules” and executes commands

14 Analyzing p2p functionality KAD.DLL functions: 1.SearchCfg – find “ktzrules” file with commands 2.LoadExe – Find and download exe file from KAD 3.ConfigWrite – write in configuration file 4.Search – find specified file in KAD 5.Publish – publish specified file 6.Knock – download new nodes.dat file Public KAD Net Default nodes. dat. TDSS KAD Net Nodes. dat with Clean and Infected users IPs

15 Monitoring active bot

16 Installs and proxy

17 Anti-Virus Gbot ZeuS Clishmic Optima Full list includes ~30 malware families name

18 Getting CnC stats

19 60 proxy CnCs 3 MySQL DBs 5M infected PCs in 3 months

20 Summary MBR infector – bypass drivers digital signatures protection x64 rootkit – TDSS works on every modern Windows system Clicker – click banners and links Target on Black SEO – promoting web site via Google, Bing, Altavista and more P2P botnet – no servers, no centers, sophisticated crypto protection for command file in hidden KAD network. Own AV – detects more then 30 malware families Clients Proxy –additional anonymizer via infected PCs 5 millions infected computers

21 http://www.facebook.com/KasperskyConference http://www.kaspersky.com/educational-events

22 | 12 October 2010Kaspersky Lab PowerPoint Template

23 Thank You Sergey (k1k) Golovanov, Malware Expert Global Research and Analysis Team Kaspersky Lab Qu35t10n5?

Download ppt "The hidden part of TDSS Sergey (k1k) Golovanov, Malware Expert Global Research and Analysis Team Kaspersky Lab."

Similar presentations

Malware Artifacts.

Malware Artifacts.
1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
SPAM/BOTNETS and Malware  Neil Warner, CIO, GoDaddy.com  Moderator: Dan Kaplan, deputy editor, SC Magazine.

SPAM/BOTNETS and Malware  Neil Warner, CIO, GoDaddy.com  Moderator: Dan Kaplan, deputy editor, SC Magazine.
AVG 8.5 Product Line Welcome to a safe world …. | Page 2 Contents  Components Overview  Product Line Overview  AVG 8.0 Boxes.

AVG 8.5 Product Line Welcome to a safe world …. | Page 2 Contents  Components Overview  Product Line Overview  AVG 8.0 Boxes.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Introducing Kaspersky OpenSpace TM Security Introducing Kaspersky ® OpenSpace TM Security Available February 15, 2007.

Introducing Kaspersky OpenSpace TM Security Introducing Kaspersky ® OpenSpace TM Security Available February 15, 2007.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
LittleOrange Internet Security an Endpoint Security Appliance.

LittleOrange Internet Security an Endpoint Security Appliance.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.

Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.
1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.

1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.
Proxy servers By Akshit Y10. What is a proxy server O A proxy server is a computer that offers a computer network service to allow clients to make indirect.

Proxy servers By Akshit Y10. What is a proxy server O A proxy server is a computer that offers a computer network service to allow clients to make indirect.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—4-1 LAN Connections Using a Cisco Router as a DHCP Server.

© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—4-1 LAN Connections Using a Cisco Router as a DHCP Server.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

Similar presentations

Ads by Google