Identification

• TDSS first appeared in 2008, and has gone through a number of revisions since to increase its abilities and make it harder to detect. According to Kaspersky Labs, the TDSS root kit infected over 4.5 million PCs in the first three months of 2011 alone, with the number of infections steadily increasing. TDSS is so large it has its own affiliate program, offering payouts to affiliates who find ways to spread the root kit through infected warez programs, files spread through peer-to-peer networks and malicious websites.
  
  

Effects

• Once infected with the TDSS root kit, the computer becomes part of a botnet under the control of a central set of servers controlled by the authors. This gives the authors a backdoor into the machine, allowing them to install software such as key loggers and other malicious programs. TDSS intercepts Web browser activity, with search queries captured and false results shown, directing users to malicious sites or other sites that pay the authors for the traffic. The root kit also spoofs browsing activity to increase traffic to certain websites or appear as if the user has clicked on an advert, earning money for the authors. In 2010, a standard Microsoft patch conflicted with the root kit, causing constant blue screen crashes and reboots on infected machines, leaving them unusable.
  
  

Stealth Techniques

• The reason for the huge spread of the TDSS root kit is the use of stealth to avoid detection by antivirus and other security software. As a root kit, TDSS hides components at the end of the hard drive, outside of the normal file system and hidden from applications. All files are encrypted on disk and decrypted on the fly, further helping to avoid detection. TDSS hijacks the Windows system drivers, overwriting parts with its own code so that the file size remains unchanged. The TDL-4 version of the rootkit can also infect the computer's master boot record, allowing it to load before the operating system. The root kit alters operating system files so that they do not report any TDSS files or activity, such as open network connections, hiding its existence from security software and the user.
  
  

Removing TDSS

• Kaspersky Labs has developed a special tool to remove the TDSS root kit from infected systems. This tool is available as a free download from the Kaspersky website. Once you download it, run "TDSSKiller.exe" to scan your hard drive and disinfect it if the root kit is present. The scanner has heuristic scanning capabilities, allowing it to detect similar versions if the authors modify the root kit. The tool identifies files with two levels of certainty: malicious, meaning that it has positively identified the file; and suspicious, which may indicate a modified version of the root kit. You can also run TDSSKiller from the command line, enabling it to run from a script for automatic deployment, if required.