Rootkit TDL 3 (alias TDSS, Alureon.CT, Olmarik)

Forum for analysis and discussion about malware.

Rootkit TDL 3 (alias TDSS, Alureon.CT, Olmarik)

Postby EP_X0FF » Fri Mar 12, 2010 3:05 am

Please read this post before you start posting in this thread.

This is thread about TDL3 infection, continuation of sysinternals thread.

There is another special dedicated thread about current TDL rootkit

TDL series common information

First topics with TDSS description:

TDL series was firstly discovered ITW in the middle of 2008. It was firstly mentioned in one of my articles at rootkit.com
Rootkit Unhooker v3.8 It's Past, Present and Future of the NTx86 Rootkit Detection
as one of the most dangerous rootkits available at that time.

TDL 1 (analysis by A_D_13)
Interesting new malware
Was using dirty tricks (FSD filter) to bypass RAW mode access to harddisks, especially for antirootkits.

TDL 2/2+ (analysis by A_D_13)
Interesting new malware, part 2
Introduced new aggressive self-protection, based on filtering IofCompleteRequest, IofCallDriver by whitelist of
access allowed drivers (rootkit was looking at call stack).

Currently has numerous copy-past clones:

_VOID
H8SRT
PRAGMA
4DW4R3 (aka BackDoor Triplex)

More info about 2 generation of this rootkit
TDSS analysis by eSage lab - RU
Case study: the TDSS rootkit - EN

TDL 3 (First appearance)
Rootkit TDL3 (TDL Reloaded)
Switched to virus alike behavior, hooking of miniport disk driver.

TDL 3 (analysis by t4L)
TDL3 - Why so serious? Let's put a smile on that face .. (dead link, use attach)

TDL 3/3+ (analysis by Dr.Web)
Russian PDF
English PDF
In this article also mentioned updated TDL3 version, switched from IRP handlers hooking to using special device object.

Note: all others papers from antivirus companies mostly copy-past of posted above.

TDL 3/3+ (analysis by ESET)
http://www.eset.com/resources/white-papers/TDL3-Analysis.pdf
Covered latest available 3.27+ version ("random" driver infector), TDL fs structure and encryption.

TDL Family (analysis from Kaspersky Lab)
Russian http://www.securelist.com/ru/analysis/208050642/TDSS
English http://www.securelist.com/en/analysis/204792131/TDSS
Interesting info is about commercial part of all this story, affid and others are covered :).

TDL3 story from F-Secure
http://www.f-secure.com/weblog/archives/The_Case_of_TDL3.pdf

TDL4, Alureon: The First In The Wild 64-Bit Windows Rootkit
http://www.virusbtn.com/pdf/conference_slides/2010/Johnson-VB2010.pdf

In the middle of February 2010 this rootkit was revealed for significant number of it's victims.
After applying MS10-015 patch due to restrictions of TDL3 rootkit (several hardcoded values) machines with this rootkit installed became
unbootable (infinite loop of Blue Screens).

TDL 3 contained 2 ITW detected variants.

1. Main front-end rootkit with huge botnet. (user mode payload - tdlcmd.dll, TDL C&C library)
Contains two generations and about ~30 actual subversions, at moment of this topic starting, latest available was v3.273 (3 update of 27 version)

2. z00clicker.dll variant, based on the first TDL3 generation (z00clicker.dll is user mode payload C&C library)
Contains two generations including debug beta version (creates debug.txt while running).

TDL team playing in cat-mouse game with AV companies breaking detection by their special tools.

3.24 locked infected file at disk
3.25 fixed MS10-015 Blue Screen of Death
3.26 removed file locking
3.27 bypassed SPTI-based detectors (1.6 version of TDSSRemover, HitmanPro previous version)
3.271 bypassed bithack used by Kaspersky Lab in their TDSSKiller
3.272 added code integrity checking not allowing using bithacks
3.273 bypassed several detectors again (improved I/O filtering)
3.273 April 2010 edition, changed infection scheme resulting in bypassing most of public removers/detectors
4.0x August 2010 edition, TDL evolves to x64 (switched to bootkit techniques)

User mode component of this rootkit can be updated and usually it is updating independently from rootkit itself.
tdlcmd.dll contains configuration information (servers list) and handy routines to control behavior of the rootkit.
Rootkit can download additional files and store them inside it's own encrypted file system.
However infection itself can't be updated in current version of this rootkit.

TDL3/4 detectors & removers available for download
(+) latest TDL version removal supported

Please note that none of this tools does not gives guarantee of successful removal.

TDL3 affid (Affiliated id) description

  • 20106 - rootkit installed with help of fake codecs
  • 10438 - rootkit installed with help of cracks / keygens
  • 11418 - rootkit installed with help of cracks / keygens (keygen.name as example)
  • 20273 - rootkit installed through exploits

Thread posting rules

    1. TDL samples must be archived and password-protected. Pasword can be "infected" or "malware".
    All other samples can be deleted by administration without notice.

    2. Please avoid of posting links to TDL fresh sites to keep them alive for harvesting.

    3. Please do not post identical samples and links to out-dated information about TDL3

    4. Please stay on topic (off-topic posts can be deleted without any notice).


Note: Unauthorized users can't download and see attachments.

Your contribution in reversing and harvesting this rootkit --> highly welcomed.
Thanks :)
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Postby ConanTheLibrarian » Mon Mar 15, 2010 1:38 am

When the tools become obsolete because of a brand new update to TDL3, I fall back on manually taking atapi.sys offline by using the same file renamed and changing registry keys to load it instead. This has always worked for me and I am able with 1 reboot to take the infection "offline" and replace the infected atapi while in windows. Then I just reverse the process with the registry keys and reboot again to load the clean atapi.
User avatar
ConanTheLibrarian
 
Posts: 56
Joined: Mon Mar 15, 2010 1:12 am
Location: USA
Reputation point: 6

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Postby gjf » Mon Mar 15, 2010 10:46 am

Actually you don't even need to store original atapi.sys because it is almost similar for all SPs of Windows (but possibly different for XP-Vista-Seven). I have an infection yesterday (quite stupid - just testing new Tdss.ayec). Looks like that version don't love my system (SPTD conflict???) so it dropped down to BSOD during booting. Safe Mode worked only one time with hanging up all the following.

So what I've performed: simply boot using ERD Commander and restore the original atapi using System File Restore. It cured everything. Surely crypted partition still persists on HDD but nobody cares :)
VirusInfo / Defendium / SafeZone Helpers Crew
User avatar
gjf
 
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Reputation point: 26

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Postby EP_X0FF » Mon Mar 15, 2010 5:16 pm

Surely crypted partition still persists on HDD but nobody cares

Yes :) This is not harmful for system.

Indeed sometimes TDL3 does not working well after infection stage. Reboot leads to nowhere - blue screens, blue screens etc.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Postby markusg » Mon Mar 15, 2010 5:39 pm

other tdss remover:
norman tdss cleaner.
http://download.norman.no/public/Norman ... leaner.exe
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Postby EP_X0FF » Mon Mar 15, 2010 5:43 pm

Hi,

Thanks for mention Norman tool. I didn't included it in list, because was unsure about it usefulness.
Is it capable with removal or detection of last TDL3 version?

Regards.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Postby markusg » Mon Mar 15, 2010 5:53 pm

i try it last time in february.
at some pcs it make problems, but it works better as at the beginning. :-)
Lars Haukli the autor fix problems very quickly.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Postby EP_X0FF » Mon Mar 15, 2010 5:56 pm

Ok, thanks again. I'm updating first post to include Norman tool.
Perhaps somebody will test it against last TDL3 and post results :)
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Postby markusg » Mon Mar 15, 2010 6:34 pm

hmm i wanted to test but after downloading i get, your version is outdated i ask lars and will post the answer.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Postby LeastPrivilege » Mon Mar 15, 2010 7:14 pm

Surely crypted partition still persists on HDD but nobody cares

Does anyone know if the crypted partition causes any problems down the road after the infection is removed? What I mean is, a new reinfection later on since the partition is still there. I haven't seen any evidence of this so far.
LeastPrivilege
 
Posts: 39
Joined: Mon Mar 15, 2010 2:21 pm
Reputation point: 5

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 13 guests