Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » TDSS


Destructivity Unknown UNKNOWN
Payload Bot, Hides files on disk, downloads and installs malware
Detection files published 05 Jan 2009 03:00:00
Description created 13 Jan 2010 12:33:00
Description updated 13 Jan 2010 12:33:00
Malware type TROJAN
Alias TDL3
Spreading mechanism UNKNOWN



We have observed TDSS being spread mostly through warez and torrent sites offering fake cracks and keygens.
Some Rogue AV families have been observed installing TDSS as an additional payload.

Payload Details

TDSS is a stealthy rootkit. It operates by infecting a low level system driver, typically atapi.sys, iastor.sys or vmscsi.sys. It will, much like a virus, overwrite parts of the resource section of the chosen driver with parasitic code that will execute before the host. When the system boots up, this code will load the main rootkit component very early in the booting process.
The different modules are stored encrypted outside the local file system. TDSS implements its own file system located at the last sectors of the hard disk, only accessible to the rootkit itself and its user mode components.
The rootkit hijacks the device object responsible for disk access. Any request to read or write to disk are in this way intercepted. In the case of reading the contents of the infected driver, a clean version will be presented. In this way, the rootkit remains hidden while active.
The userland components stored alongside the rootkit component are injected into a process by the rootkit
when it loads at boot time. In order to provide access to the encrypted file system for these components, the rootkit creates a device object with a random name. The components typically provides bot functionality, and may download and install additional malware.




Please download and run Lumension TDSS Cleaner. Note that only the latest generation of TDSS (called version 3) is supported by the cleaner at this time.

Last Updated: 12 Nov 2015 11:06:10