Backdoor Tidserv uses a Google developed platform

Symantec Corporation gives details about the complex threat activity Tidserv, which uses rootkit functionality, so that it is extremely difficult to detect. For the operation of malware essential medium Chromium Embedded Framework, so it is further pumped to the infected computer about 50 MB.

Tidserv (or TDL) - this is a complex threat that disguises itself in the system using rootkit technologies. Being discovered in 2008, it remains active to this day. Distributed across the web version Tidserv worked in its software platform Chromium Embedded Framework (CEF). Although this is not the first time that crackers use legitimate software for their own purposes, in this case for the correct operation of the virus is required to retrieve all components of the environment with total size of 50 MB, which is quite unusual for malware.


Backdoor.Tidserv a component structure that allows it to load new modules and immediately embed them in the OS. In earlier versions of Tidserv serf332 module used for network operations, such as, for example, avtokliki and advertising pop-ups. Their implementation using COM-objects opening pages and on their content. Recently, experts Symantec found that Tidserv start downloading for a new module called cef32. This new module has the same functionality as the serf332, but it also requires a library cef.dll, which is part of CEF. This generally means that the septic system needs to download any components CEF of about 50MB.

During the period from 4 to 21 March the number of downloads CEF has increased considerably, and although experts can not say that this is the result of activity Tidserv, however, if this growth is effectively connected with the attack, you can get an idea of ​​the scale.

CEF provides management features Web-browser to embed it in an application. CEF libraries provide the entire range of functions to the browser, such as parsing HTML-code or parsing and running JavaScript.

Using the software environment enables CEF Tidserv take off most of the implementation of its "browser-based" functional performance and put it on the library CEF. Thus, the modules malware become smaller and expand their functionality is easier. The flip side of the coin was also the need to load the library cef.dll. Download link for the zip-archive with CEF «enclosing" directly into the executable code module, and any change in the source, so that will require updating and the module itself.

Authors Chromium Embedded Framework (CEF) or in any way rely on the use of the product for criminal activities, and are taking and will take all possible steps to prevent such attempts. That's why the site Google Code has been removed by the library used by hackers to create this virus, and explores ways to provide users with only the most sheltered from the execution of such threats.