Posted by: EricC | July 7, 2010

tssd.exe Infection Rate on the Rise

Over the past week, SecurityCoverage has seen an increase in the number of variants available in the wild of the infection tssd.exe.  We are currently seeing multiple new variants of the infection each day for which we are actively releasing preventative measures as the variants are observed.  Over the past 72 hours the SecureIT Malware Research team has been able to release 109 custom made signatures to combat this infection.  The bulk of these were released on 7/5 (35) and 7/6 (57)These signatures were created in addition to the approximately 12,200 signatures released as part of our regular release process.  This particular file infects a machine after the end-user has chosen to “run a scan” or make a purchase of AV software offered to them by a rogue AV message usually seen when visiting a website with actively running malicious code.  This rogue AV software presents itself with the legitimate sounding names of Antivirus Suite, Defense Center or AV Security Suite.  As with any rogue, the end-user should never run the “scan” being offered or purchase anything as this invites the actual infection of tssd.exe into the end-users machine.  We have observed that most recently the Defense Center name/format is appearing most frequently.  We have outlined a more in depth analysis of the presentation this variant gives to customers.

Defense Center is a program that is installed through the use of rogue malware tactics that use deceptive warnings and scan results to scare customers into purchasing the program. The trojans that install this malware are typically ones that are installed through vulnerabilities in Windows or the browser being used by the customer. These vulnerabilities are exploited through websites that customers visit so that Defense Center is installed on to their computer without the users permission or knowledge.

When installed, Defense Center will disable Windows Task Manager and then remain dormant until a certain amount of time has passed. After this waiting period, the customer will start to see alerts appear from the Windows taskbar. When these alerts are clicked on, Defense Center will be downloaded and installed onto the computer automatically. While installing, Defense Center will also attempt to uninstall numerous legitimate anti-virus programs.  Defense Center then displays to the customer messaging stating that these programs are infected and trying to remove them, customers should not allow it to do so.

When Defense Center is started it will scan the computer and state that the computer is infected with numerous infections. These infections are not real and the files it states are infected are generally legitimate Microsoft files that Windows needs in order to operate properly. If a customer continues to follow instruction from the program and chooses to remove these files it will delete them from the machine and render it inoperable. In order to protect itself, Defense Center will also display an alert stating that any program the customer attempts to run is infected (including any legitimate AV products or scanning/removal tools. This is an effective way for the virus to stop the customer from running anything that may remove it from the machine.  The text of this alert is:

Warning! Virus threat detected!
Virus activity detected!
Net-Worm.Win32 has been detected. This adware module advertises websites with explicit content. Be advised of such content being possibly illegal. Please click the button below to locate and remove this threat.

While Defense Center is running it will also display alerts that are designed to make the customer think that their computer is under attack or infected. The text of these alerts are:

Warning! Adware detected!
Adware module detected on your PC!
Zlob.Porn.Ad adware has been detected. This adware module advertises websites with explicit content. Be advised of such content being possibly illegal. Please click the button below to locate and remove this threat now.

Antivirus Alert – Critical threat detected
Warning
Network attack detected
Network attack has been detected. Process is attempting to access your private data.

Warning! Network attack detected!
Network intrusion detected!
Your computer is be attacked from a remote PC.
Attack from <ip address>:27040
Process is trying to steal your passwords listed below. It is highly recommended to block this threat now.

Danger!
A security threat detected on your computer. TrojanASPX.JS.Win32. It strongly recommended to remove this threat right now. Click on the message to remove it.

Danger!
A security threat detected on your computer. This malicious program may steal your private data. Click on the message to ensure the protection of your computer.

Danger!
Harmful viruses detected on your computer. Click on the message to scan your computer for security threats for free.

Just like the fake scan results, all of these alerts are false and just another tactic being used to scare the customer into purchasing the program and they should be ignored.

As you can see, this program was created with one purpose; to scare consumers into thinking their computer has a serious security problem so that they will purchase Defense Center. By no means should anyone purchase this program, and if they have,  they should contact their credit card company and dispute the charges stating the program is fraudulent.

In response to this infection and the numerous variants being seen, the SecureIT Malware Research team is processing samples and researching for any new variants around the clock.  As new items are found we are processing those items and releasing updates to the SecureIT suite of products within 4-6 hours.

If any customers are contacting you regarding this rogue threat please have them close all programs on their machine and their browser without clicking on the rogue screen itself and then reboot the PC.  This will stop the program from running and prevent the infection from becoming resident on the machine.  If they have already clicked on the rogue window they should be directed to the SecureIT tech support group so that we can assess the level of infection and remove all infected items from the machine.

The following is a list of files associated with this set of infections:

c:\Documents and Settings\All Users\Favorites\_favdata.dat
c:\Program Files\Defense Center
c:\Program Files\Defense Center\about.ico
c:\Program Files\Defense Center\activate.ico
c:\Program Files\Defense Center\buy.ico
c:\Program Files\Defense Center\def.db
c:\Program Files\Defense Center\defcnt.exe
c:\Program Files\Defense Center\defext.dll
c:\Program Files\Defense Center\defhook.dll
c:\Program Files\Defense Center\help.ico
c:\Program Files\Defense Center\scan.ico
c:\Program Files\Defense Center\settings.ico
c:\Program Files\Defense Center\splash.mp3
c:\Program Files\Defense Center\Uninstall.exe
c:\Program Files\Defense Center\update.ico
c:\Program Files\Defense Center\virus.mp3
%UserProfile%\Desktop\Defense Center Support.lnk
%UserProfile%\Desktop\Defense Center.lnk
%UserProfile%\Desktop\nudetube.com.lnk
%UserProfile%\Desktop\pornotube.com.lnk
%UserProfile%\Desktop\spam001.exe
%UserProfile%\Desktop\spam003.exe
%UserProfile%\Desktop\troj000.exe
%UserProfile%\Desktop\youporn.com.lnk
%UserProfile%\Start Menu\Programs\Defense Center
%UserProfile%\Start Menu\Programs\Defense Center\About.lnk
%UserProfile%\Start Menu\Programs\Defense Center\Activate.lnk
%UserProfile%\Start Menu\Programs\Defense Center\Buy.lnk
%UserProfile%\Start Menu\Programs\Defense Center\Defense Center Support.lnk
%UserProfile%\Start Menu\Programs\Defense Center\Defense Center.lnk
%UserProfile%\Start Menu\Programs\Defense Center\Scan.lnk
%UserProfile%\Start Menu\Programs\Defense Center\Settings.lnk
%UserProfile%\Start Menu\Programs\Defense Center\Update.lnk     %UserProfile%\Local Settings\Application Data\<random>\
%UserProfile%\Local Settings\Application Data\<random>\<random>.exe %UserProfile%\Local Settings\Application Data\<random>\
%UserProfile%\Local Settings\Application Data\<random>\<random>tssd.exe

The following is a list of related registry entries for this infection:

HKEY_USERS\S-1-5-21-861567501-152049171-1708537768-1003_Classes\secfile
HKEY_CURRENT_USER\Software\Classes\secfile
HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
HKEY_CLASSES_ROOT\secfile
HKEY_LOCAL_MACHINE\SOFTWARE\Defense Center
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Defense Center
HKEY_LOCAL_MACHINE\SOFTWARE\Program Groups
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Defense Center”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “DisableTaskMgr” = “1”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved “{5E2121EE-0300-11D4-8D3B-444553540000}” HKEY_CURRENT_USER\Software\avsoft
HKEY_CURRENT_USER\Software\avsuite
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter “Enabled” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:1041”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = “.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “<random>”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “<random>”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyEnable” = “1”


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: