Rootkit TDL 2 (alias TDSS, Alureon.BK)

Forum for analysis and discussion about malware.

Rootkit TDL 2 (alias TDSS, Alureon.BK)

Postby EP_X0FF » Sat Mar 20, 2010 2:38 pm

img.png


Copy of famous rootkit for historical purposes. More can be found here viewtopic.php?f=16&t=630

SHA256: 9cb9d88755dc97275c343d54148a3c77e9e4a47993d77bb96049432440e4cb45
SHA1: e053da98951c66cd2f07bb2d92fdded2ef373e7b
MD5: 0206d052cfd59ef3c7770ca53b8ca43a

https://www.virustotal.com/en/file/9cb9d88755dc97275c343d54148a3c77e9e4a47993d77bb96049432440e4cb45/analysis/
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

TDL2/TDL3 tracking(sources)and other fun stuff.

Postby fatdcuk » Mon Mar 22, 2010 5:50 pm

Probaly data shared in private but will share my 2 static sources(a 3rd is variable as it is delivered by exploit on compromised sites).

Excluding rogues that have sold seats on their installs i have found that the iframe$ bundle downloader has been habitual offender for eitherTDL2 or TDL3 or both...

Type1(Cracksite/Keygen)

Code: Select all
http://keygen.name

All roads lead to Rome with a self extracting executable(Take care as it has been know to include Virut every so often along with Hiloti and other freind(s)).
Hosting of file is not to static but currently pointing to for example.
Code: Select all
http://get.serdb01.com/keygens/norton_antivirus__trial-keygen.exe

File attached.
http://www.virustotal.com/analisis/9a6d ... 1269278326

Type2(driveby)...

Type3(P2P land)
Attached is the current bundle downloader floated on Gnutella and other dirty P2P nets appearing near you(Zipped folder 2-4.5mb in size,all the names under the sun with 2 yellow key executables= Bundle downloader)
http://www.virustotal.com/analisis/1a35 ... 1267782429
Lot of goodies on that bundle(very worth tracking ;))
Code: Select all
http://joetracker.info/links/20100209082754.exe
http://joetracker.info/links/tb.exe
http://joetracker.info/links/cb.exe
http://joetracker.info/links/hamburgaler.exe
http://joetracker.info/links/20100204103420.exe
http://joetracker.info/links/20100218031245.exe
http://joetracker.info/links/20100228082137.exe


Enjoy!
You do not have the required permissions to view the files attached to this post.
Ade Gill
Malwarebytes Researcher
Image
fatdcuk
 
Posts: 46
Joined: Mon Mar 15, 2010 7:45 pm
Reputation point: 78

Re: TDL2/TDL3 tracking(sources)and other fun stuff.

Postby Meriadoc » Mon Mar 22, 2010 7:26 pm

Hi Ade,

Yes a good source, I've been diving into that crack/keygen site for awhile, same as the associated links - always a winner

thanks for the links and samples :)

Regards
Who controls the past controls the future
Who controls the present controls the past
User avatar
Meriadoc
 
Posts: 195
Joined: Sat Mar 13, 2010 7:36 pm
Location: Cymru
Reputation point: 87

Re: TDL2/TDL3 tracking(sources)and other fun stuff.

Postby EP_X0FF » Tue Mar 23, 2010 6:38 am

Hi Ade,

thanks for sharing.
keygen.name providing refined bundle each day very well ;)
Well actually all their "cracks" are just a same malware package.

Usually I also pick up everything recent from malc0de - but it's mostly trash and script-kiddies trojans.

Thank you for samples.

Regards.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Rogue(+TDL2) YourProtector

Postby fatdcuk » Fri Apr 02, 2010 5:14 pm

New Paladin AV/Malware Defender Family clone.

TDL2(_VOID) dropper along for the ride.

http://www.virustotal.com/analisis/d814 ... 1270228340

Enjoy :)
You do not have the required permissions to view the files attached to this post.
Ade Gill
Malwarebytes Researcher
Image
fatdcuk
 
Posts: 46
Joined: Mon Mar 15, 2010 7:45 pm
Reputation point: 78

Re: Rogue(+TDL2) YourProtector

Postby EP_X0FF » Fri Apr 02, 2010 5:27 pm

Excellent Ade! :D

extracted urls from TDL2 mini loader

hxxp://findernos.org/up3/setup;
hxxp://www.increafind.org/up3/setup;
hxxp://www.zealandsecurity.com/up3/setup;
hxxp://findernos.org/up3/install01;
hxxp://www.increafind.org/up3/install01;
hxxp://www.zealandsecurity.com/up3/install01;
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Rogue(+TDL2) YourProtector

Postby STRELiTZIA » Sat Apr 03, 2010 6:38 am

Loader strings:

UNICODE "TMP"
UNICODE "%s%s%d.tmp"
ASCII "_VOID"
UNICODE "%s%S%x.tmp"
UNICODE "\license.dat"
ASCII "94804860143697233939975370329435970097710202"
UNICODE "Azerbaijan"
UNICODE "Belarus"
UNICODE "Kazakhstan"
UNICODE "Kyrgyzstan"
UNICODE "Russia"
UNICODE "Uzbekistan"
UNICODE "Ukraine"
UNICODE "Czech Republic"
UNICODE "Poland"
UNICODE "Algeria"
UNICODE ".exe"
ASCII "ERROR . LOADER : %s nothing was executed ."
UNICODE "\AE0DD401-4FE0-4b74-8F0B-5C2CEBD36952"
UNICODE ".exe"
UNICODE ".manifest"
ASCII "<?xml version=""1.0"" encoding=""UTF-8"" standalone=""yes""?><assembly xmlns=""urn:schemas-microsoft-com:asm.v1"" manifestVersion=""1.0""><ms_asmv2:trustInfo xmlns:ms_asmv2=""urn:schemas-microsoft-com:asm.v2""><ms_asmv2:security><ms_asmv"...
ASCII "Printers\Connections"
ASCII "affid"
ASCII "subid"
ASCII "%[^;];%[^;];"
ASCII "software\_VOID"
ASCII "subid"
ASCII "%[^;];%[^;];"
UNICODE "\knowndlls\dll.dll"
UNICODE "\\?\globalroot\systemroot\system32\msvcrt.dll"
UNICODE "\D9A2BC6E-912D-451a-B433-1D6EE914F861"
ASCII "\\?\globalroot\systemroot\system32\msvcrt.dll"
UNICODE "\knowndlls\msvcrt.dll"
ASCII "fgetc"
ASCII "ntdll.dll"
UNICODE "spooler"
ASCII ".srt"
ASCII "IsWow64Process"
ASCII "kernel32"
ASCII "2831689418-1935655697-1177238915-725345543"
ASCII "%u-%s"
ASCII "urlmon.dll"
ASCII "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
ASCII "ObtainUserAgentString"


URL:
Code: Select all
hxxp://securityattendance.com/page/setup


Attached unpacked disassembly listing (loader.txt)
You do not have the required permissions to view the files attached to this post.
User avatar
STRELiTZIA
 
Posts: 103
Joined: Sun Mar 14, 2010 7:02 am
Reputation point: 82

Re: Rogue(+TDL2) YourProtector

Postby EP_X0FF » Sat Apr 03, 2010 6:43 am

Does anybody has a payload from this URL? Server seems to be down.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Rogue(+TDL2) YourProtector

Postby STRELiTZIA » Sat Apr 03, 2010 6:50 am

EP_X0FF wrote:Does anybody has a payload from this URL? Server seems to be down.

it same for me.
User avatar
STRELiTZIA
 
Posts: 103
Joined: Sun Mar 14, 2010 7:02 am
Reputation point: 82

Re: Rogue(+TDL2) YourProtector

Postby Meriadoc » Fri Apr 09, 2010 9:41 am

Is it YourProtector or Your Protection.

I helped someone nail the rootkit and then got them to clean up with mbam. Apparently it stops the user having an internet they can use and installing new software.

edit : I can see from the attachment it is your protection :)

I got them to send me the log :

Malwarebytes' Anti-Malware 1.45
http://www.malwarebytes.org

Database version: 3960

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18904

06/04/2010 18:04:53
mbam-log-2010-04-06 (18-04-53).txt

Scan type: Quick scan
Objects scanned: 129614
Time elapsed: 7 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection (Rogue.YourProtection) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportMgmtService.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportService.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\_VOID (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe_reader (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Administrator\AppData\Local\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\cleansweep.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\_VOIDdvpfdtqcsw (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection (Rogue.YourProtection) -> Quarantined and deleted successfully.

Files Infected:
C:\cleansweep.exe\config.bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\about.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\activate.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\buy.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\help.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\scan.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\settings.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\splash.mp3 (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\update.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\urp.db (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\virus.mp3 (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\js.mui (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDqvwebeevmp.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDuuforstvir.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDeaqcxspnmy.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\_VOIDbfc9.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Adobe\acrotray .exe (Trojan.Agent) -> Quarantined and deleted successfully.
Who controls the past controls the future
Who controls the present controls the past
User avatar
Meriadoc
 
Posts: 195
Joined: Sat Mar 13, 2010 7:36 pm
Location: Cymru
Reputation point: 87

Next

Return to Malware

Who is online

Users browsing this forum: nadia and 8 guests