Last week, we saw reports about TDL4-the most recent iteration of TDSS-exhibit self-propagation routines. The worm component, which Trend Micro detects as WORM_OTORUN.ASH, was first discovered in early March and we have been seeing a continuous increase in this malicious operation based on our internal statistics. North America and Japan, in particular, appear to have the most number of infected systems.
This data also suggests that the TDSS gang has been busy capitalizing on this worm to expand their botnet. Just recently, however, they added a new trick to the worm. This time, it now includes code, which turns the infected system into a Dynamic Host Configuration Protocol (DHCP) server with a domain name system (DNS) setting that points to a malicious IP address.
According to Trend Micro Threats Analyst Brian Cortes, once the rogue DHCP has been connected to a LAN, it confuses other computers in the network to use the rogue DHCP over the network’s real domain controller. As a result, these computers use the malicious DNS server instead of the legitimate one. The malicious IP address, when accessed, shows a fake browser update site that leads to either a copy of itself or to a TDL4 binary download.
We have seen several end-user reports regarding this rogue DHCP infection. To give you an idea on what is really happening to infected PCs, look at the following overview of the infection chain:
Interestingly enough, I noticed that the malicious URLs and IP addresses from which WORM_OTURUN.ASH downloads BKDR_TDSS.ASH are hard-coded into the worm’s code. It is still unclear to me whether the worm was also developed by the TDSS gang or if they are partnering with another group of cybercriminals. Either way, I find this WORM-TDL4 tandem a little incongruous in the sense that the worm contradicts the “stealthiness” of TDL4. Although WORM_OTORUN.ASH does a good job in spreading the bootkit, it does not have stealth techniques on its own and can easily be detected by antivirus engines. In addition, it drops .LNK and .INF files that are heuristically detected by antivirus software, making it a “noisy” malware overall.
While TDL4 is hard to detect in a system, the presence of the worm component (plus the rogue DHCP) may lead users to suspect system infection and to run forensic tools, which may then lead to the discovery of the bootkit. I’m not sure what these guys are thinking but it leads me to speculate two things-either they did not foresee this or they are confident enough with the sophistication of their bootkit.
Nevertheless, all of the malicious URLs and IP addresses related to this threat are now blocked through the Trend MicroT Smart Protection NetworkT. We checked other IP addresses that belong to the same range as the ones used by WORM_OTORUN.ASH and found that these are also known hosts of malicious files and may also lead to malicious files. Any attempt to access this URL will be prevented by your Trend Micro solution.
With additional analysis from Trend Micro Threats Analyst Brian Cortes
Leave a reply