I originally published this blog at http://community.ca.com/blogs/securityadvisor
December 12 2008, 03:19 PM by Benjamin Googins
On November 10 of this year in a blog titled “Emerging Threat: AntiVirus 2009” I explained that our Support and Research teams were seeing a jump in the number of AV 2009 infections (we first saw copies of AV 2009 in June of this year). Well, this threat is well beyond ‘emerging’. Over the last 4 weeks we have seen a jump in the use of rootkits to hide, protect, and keep the AV2009 infection resident. Of course, the use of rootkits is nothing new and the rogue software AntiVirus 2009 is nothing new, but over the last 4 weeks our Support team has seen an explosion of the two working in tandem. To learn more about rootkits, read here.
The Silent Infection Indicators (quite difficult to identify) This infection is comprised of two very different components that work toward one cause, getting your money. Your money is the bottom line! First, you have the trojan element. It consists of a variety of files, some include rootkit elements. This component of the infection is not easily visible and is intent on staying hidden, running silently in the back ground, protecting itself and related files and downloading the rogue product. The rootkit consists of a system driver located in the driver folder at C:\windows\system 32\drivers\TDSS****.sys (not viewable without special tools). The file name appears to be semi-random. The first half of the driver name is fairly consistently “TDSS”. The second half, represented here with an asterisk (*) varies from install to install. For example, across three installs, I had three different filenames: TDSSmxst.sys, TDSSliqp.sys, and TDSSosvn.sys – same file, different names. This rootkit recently has been accompanied by the file brastk.exe which shows up in two locations: C:\WINDOWS\system32\ and C:\WINDOWS. This file is not randomly named and stays generally static (for now). In some instances, this infection prevents common anti-rootkit tools from running. The infection makes a lot of registry changes, like: “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata”.
The Noisy Infection Indicators (the easily visible aspects) Second, the other component of this infection relates to the rogue security product. This component is in your face and repeatedly pops up and nags at you. You will often find links to it on your desktop and in you Program Files. It is generally very easy to remove. The infection opens a warning from the system tray on regular intervals (see the box numbered B, in the image below). The sample I tested opened this warning every three minutes and would leave the window open for 16 seconds before closing. If you click on the window, it will automatically begin downloading a rogue security product. The rogue product can vary (and most assuredly will change in the future), but can include AntiSpywareXP 2009, AV2009, AntiVirus 2009, AV 2008, AntiVirus 2008 and other related variants (see the box lettered A below). If you close the installation window, it will open the window again and continue downloading – this process will repeat indefinitely (and cause you big headache). There is a white “X” that stays resident in the system tray (see icon labeled C).
This infection makes changes to your system like adding new Program Files directories, registry changes and shortcuts on the desktop. Directories include: %PROGRAM_FILES%\Antivirus 2009, %PROGRAM_FILES%\Antivirus2009, %STARTMENU%\Antivirus 2009, and %STARTMENU%\Antivirus2009 to name just a few. These directories generally are similar or the same as the name of the rogue security product. These directories contain related files. Registry entries are vast, and can include: “HKEY_CURRENT_USER\ \software\microsoft\windows\currentversion\run\ xp antivirus 2008”.
The infection also redirects browser requests and often blocks your anti-malware product from updating. The IPs change rapidly, so I will hold off posting anything specific here because they will probably be out of date by the time you read this, but if you try connecting to a site you regularly go to and are redirected to a strange page, you are probably infected.
Removing AntiVirus 2009 The easiest way: use an antimalware (anti-virus and/or anti-spyware) product. If one product doesn’t work, try another. Always run a full system scan, scanning every nook and cranny of the system.
Removing this infection by hand can be very difficult and not for the timid. This threat tends to change very rapidly, changing IP addresses, changing filenames, altering registry keys, and downloading evolving rogue security products. The infection varies across systems. That said, if you want to attempt to remove this by hand, here are the basic steps.
FIRST, you need to remove the rootkit. To remove the rootkit, you will need to use some sort of tool. Because this infection often blocks your Internet connection, it is good to have a second computer handy to download removal tools. There are a variety of anti-removal tools available. This is no endorsement of any specific tool or guarantee they will work, but a few include: GMER (http://www.gmer.net/index.php), Iceword http://www.antirootkit.com/software/IceSword.htm), Rootkit Revealer (http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx). There are others. Refer to each anti-rootkit’s documentation on how to use properly. In general, it is a hit and miss and will require you to try and fail before you get it right and remove the rootkit. If this interests you, jump in and have fun. Beware, deleting the wrong files can permanently damage your computer and could result in losing data or having to reinstall the operating system and applications. If you attempt to remove other infection components first, they will be quickly replaced. It is like catching lizards; if you grab the tail, it will pull off and the lizard will grow a new one. So focus your energy on finding and removing the rootkit. For the sample analyzed for this write up, I needed to delete %WINDOWS%\system 32\drivers\TDSS****.sys.
SECOND, after this, I was able to delete a variety of files in the %WINDOWS%\system32 directory. Most of the files had file extensions like dll, dat and log. For example, TDSSncur.dll, TDSScubs.log, and TDSSmtve.dat. Expect these filenames to vary.
THIRD, I was able to remove the rogue security product. This should be easy, if you have properly removed the rootkit and related files.
Preventing Antivirus 2009 (and other infections) from infecting your system
Install a stand-alone firewall or activate the basic firewall included in Windows XP SP2 and Windows Vista.
Practice safe browsing techniques.
Exercise caution when opening email attachments.
Set up “automatic updates” for your operating system.
Keep your anti-malware product up to date.
Be sure the “active protection” feature is enabled on anti-malware product.
Tips related to Antivirus 2009
Do not pay any money to Antivirus 2009 to “activate” the product. If you pay the $40.00 requested, the threat will not go away, but they will happily take your money and the cycle of extortion will continue.
It is possible you can use System Restore to restore your computer to a previous, uninfected state. To learn more about System Restore, go here.
By: Benjamin Googins
Benjamin Googins is a senior engineer working on CA’s Anti-Spyware product. His primary functions include analyzing spyware and privacy breaches, fielding press inquiries, blogging and drafting documents. He has been a significant contributor to the User Permission document , Spyware Scorecard , Threat… Read More..