Tidserv’s Boot Methods

In this blog we continue our analysis of the recently discovered Tidserv variant that is capable of infecting 64-bit Windows operating systems. While we gave a quick overview of the threat yesterday, today we’re going to talk more about how Tidserv installs itself on 32- and 64-bit operating systems.
While Backdoor.Tidserv.L arrives as a 32-bit Windows executable, it checks if it's running under a 32- or 64-bit version of Windows and chooses an architecture-specific method of installing itself. If it finds that it’s running on a 32-bit system, it uses the same method as older Tidserv variants to gain necessary privileges—by executing itself in the Print Spooler service. Next, it drops a 32-bit version of the malicious kernel driver and loads it into the Windows kernel. Once the driver is loaded, it infects the Master Boot Record (MBR) with a malicious version.
It then stores a copy of the backdoor components and configuration data in a normally unused area at the end of the hard disk. All of the malicious data written to disk by the backdoor is in an encrypted format, except for the first 42 bytes of MBR code. With the malicious MBR in place and backdoor components stored at the end of the hard disk, the backdoor will run every time Windows is started. This may allow for Tidserv to survive if someone (continue reading...)