Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Forum for analysis and discussion about malware.

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Postby cjbi » Sat Aug 28, 2010 3:41 pm

Here's another blog entry from Prevx.
x64 TDL3 rootkit - follow up
cjbi
 
Posts: 92
Joined: Sun Mar 14, 2010 7:16 am
Reputation point: 84

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Postby PX5 » Sat Aug 28, 2010 3:49 pm

Quick question for EP_X0FF and A_D_13

Do either of your RKScanners work on X64?
Arrogance led me to my Ignorance
PX5
 
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am
Reputation point: 53

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Postby EP_X0FF » Sat Aug 28, 2010 3:55 pm

MBRCheck will work and detect it AFAIK. Likely remove it also.

x64 detection/analysis/removal tool is currently in development. Well actually it will be cross-platform. However it will be private so no point to discuss it here.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Postby IndiGenus » Sat Aug 28, 2010 4:21 pm

EP_X0FF wrote:MBRCheck will work and detect it AFAIK. Likely remove it also.

x64 detection/analysis/removal tool is currently in development. Well actually it will be cross-platform. However it will be private so no point to discuss it here.

I'm sure a_d_13 will have more to add to this than I.... :roll:

In the little bit of testing I've done with Win7 and Vista x64, MBRCheck will not properly detect or remove at this time.

Win7: MBRCheck reports MBR Code Faked!. Attempting to replace did not work.

Vista: Reported Win2008 mbr... :?: But okay.
IndiGenus
 
Posts: 13
Joined: Sun Mar 14, 2010 4:17 pm
Reputation point: 0

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Postby ConanTheLibrarian » Sat Aug 28, 2010 4:23 pm

Confirmed. MBR.exe, ANTIBOOT.exe, Bootkit Remover, & MBRCheck.exe do not remove it (x86 or x64). MBRCheck is good at detecting it though when others don't.
User avatar
ConanTheLibrarian
 
Posts: 56
Joined: Mon Mar 15, 2010 1:12 am
Location: USA
Reputation point: 6

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Postby EP_X0FF » Sat Aug 28, 2010 5:00 pm

Guys I tell you what perfectly and safely removes it :) fixmbr.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Postby IndiGenus » Sat Aug 28, 2010 5:08 pm

EP_X0FF wrote:Guys I tell you what perfectly and safely removes it :) fixmbr.

Ya that definitely gets it. Only consideration is wiping out access to recovery partitions on OEM machines.
IndiGenus
 
Posts: 13
Joined: Sun Mar 14, 2010 4:17 pm
Reputation point: 0

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Postby 4everyone » Sat Aug 28, 2010 5:36 pm

Fabian Wosar wrote:
4everyone wrote:Worked for me with Older Versions of TDL3.. Tried with the new mbr thingie, didn't work for me..

Are you sure the rootkit is running? I used it for pretty much every single sample I posted on Windows 7 x64 and tried some older samples of TDL-3 on Windows XP as well. But it is still just a dirty hack. So failure is kind of expected.

Can you send me the sample you tried it with and what system you tried it on? Maybe I can adjust it.


Sorry Fabian. I believe that, i have done something wrong before.. Checked it now, works Good.

Thanks
4-every-1
4everyone
 
Posts: 23
Joined: Fri Jul 16, 2010 1:59 am
Reputation point: 5

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Postby LeastPrivilege » Sat Aug 28, 2010 6:15 pm

This should be a lesson for people who own retail OEM machines that use recovery partitions to backup their MBR and put it away for safe keeping.
LeastPrivilege
 
Posts: 39
Joined: Mon Mar 15, 2010 2:21 pm
Reputation point: 5

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Postby IndiGenus » Sat Aug 28, 2010 6:27 pm

LeastPrivilege wrote:This should be a lesson for people who own retail OEM machines that use recovery partitions to backup their MBR and put it away for safe keeping.

Tis a good point. Though most "average" PC users would never know to do this. Nor would they know how it's done even if someone told them. Do any of the OEM's such as Dell, HP, etc... provide a tool for doing this? Something that is a simple point and click tool?
IndiGenus
 
Posts: 13
Joined: Sun Mar 14, 2010 4:17 pm
Reputation point: 0

PreviousNext

Return to Malware

Who is online

Users browsing this forum: No registered users and 8 guests