Jump to content

TDSS rootkit while running utorrent 2.0.3


rannala

Recommended Posts

Hi,

There may be a vulnerability in utorrent 2.0.3 that allows TDSS/TDL3/Alureon rootkit to infect the machine. I have now had three consequent injections of this rootkit and am getting a little tired of removing them.

Each time I have started utorrent just ~5 minutes earlier, so it's not likely a coincedence. Here's what happens:

1. I start utorrent, everything runs normally.

2. I get a warning from f-secure that a suspicious program is trying to run from windows temp folder.

3. A simultaneous warning indicates that a new program is trying to create a network connection.

4. I deny all and remove the files.

5. Spoolv.exe (printer spooler) connects to a server abroad, notifying that my machine is now a bot.

6. Hard disk driver is replaced with a version hiding the rootkit from most virus scanners.

Earlier versions of this rootkit are known to have used a kademlia vulnerability to spread, so this is not so far fetched. This may very well be a second, more sophisticated attempt, not necessarily limited to utorrent.

I saw two other recent posts with a similar topic, but they were quickly dismissed with "no no there's no malware in utorrent blah blah". Could someone at utorrent, please, at least take a quick look on the subject. I for one don't have the courage to use utorrent anymore, even though I absolutely love the software :(

Here's an analysis of the rootkit: http://www.f-secure.com/weblog/archives/The_Case_of_TDL3.pdf

Now, if anyone else has managed to get this bugger, here's some tips:

- Most online and local virus/malware scanners can't detect the rootkit, because of the replaced disk driver.

- Hitman pro 3.5.6 sees the malicious driver, but can't do anything about it.

- TDSSKiller from Kaspersky seems to be the only one to actually remove the rootkit. (but who knows if something is left behind)

Link to comment
Share on other sites

I'm wondering if it's possible that the uTorrent executable has been infected. Try downloading the file again and comparing a checksum.

If it's clean then I'm wondering if this is related (I'm still not sold on the whole remote execute vulnerability but this hasn't been listed as fixed yet, it's pretty old though too) http://www.securityfocus.com/bid/30653

Link to comment
Share on other sites

It does sound like your theory that uTorrent is causing this is a bit weak. You're probably running tens of other processes (behind the scenes perhaps) right before becoming infected as well.

I would suggest comparing your uTorrent.exe with a clean download.

Also, you might want to see if TDLwsp.dll is injected in uTorrent (or any other process) as well.

I would imagine that the most reliable way to get rid of the rootkit is to wipe the machine though

Link to comment
Share on other sites

Guys,

I downloaded the exe again from utorrent.com (2.0.3 build 20664). The md5 hash is identical to the one I already have installed, so the exe is not infected.

Also, according to processexplorer, I don't have TDLwsp.dll (or TDLcmd.dll) in any running process.

Additionally, after removing the rootkit with TDSSkiller, my computer was running fine for two weeks. Until I started utorrent, when it got infected again. That's obviously no proof, but as this has now happened three times it gives me a valid reason to suspect.

Exceptional claims need exceptional proof, what else should I try?

Link to comment
Share on other sites

Yes, couldn't find any other way to get rid of it. (and I'm still going to do a full reinstall as soon as my new hard drive arrives)

I did use Hitman pro to detect the kit, though, so I'm running gmer now for the fun of it.

Link to comment
Share on other sites

  • 3 months later...

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...