Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Forum for analysis and discussion about malware.
User avatar
Alex
Posts: 268
Joined: Sun Mar 07, 2010 11:34 am

Wed Jun 08, 2011 4:46 pm

Two days ago ESET (TDSS and hacking the hackers) published a tool called TdlFsReader.exe, the tool contains signed drivers which allow to dump TDL's files...
I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)
User avatar
EP_X0FF
Global Moderator
Posts: 4889
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Wed Jun 08, 2011 5:03 pm

A little bit (just little - two years) too late. So this reader is just another attempt to do some PR on that rootkit.
Ring0 - the source of inspiration
markusg
Posts: 735
Joined: Mon Mar 15, 2010 2:53 pm

Thu Jun 09, 2011 3:33 pm

You do not have the required permissions to view the files attached to this post.
User avatar
EP_X0FF
Global Moderator
Posts: 4889
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Thu Jun 09, 2011 3:47 pm

[main]
version=0.03
aid=30041
sid=0
builddate=351
rnd=515967899
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.175
the same as few previous.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
dphrag
Posts: 11
Joined: Sat Aug 14, 2010 10:26 pm

Fri Jun 10, 2011 4:39 pm

Has anyone tested those latest samples on x64 vms ?
User avatar
EP_X0FF
Global Moderator
Posts: 4889
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Fri Jun 17, 2011 2:32 am

Some fresh TDL4 for collection
[main]
version=0.03
aid=30198
sid=0
builddate=351
rnd=220523388
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.175
Unpacked dropper also attached.

original http://www.virustotal.com/file-scan/rep ... 1308277187
unpacked http://www.virustotal.com/file-scan/rep ... 1308276205
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
gjf
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Contact:

Wed Jun 29, 2011 9:15 am

VirusInfo / Defendium / SafeZone Helpers Crew
User avatar
EP_X0FF
Global Moderator
Posts: 4889
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Fri Jul 01, 2011 3:03 am

Attached recent TDL4 dropper with updated cmd.dll
[main]
version=0.03
aid=40787
sid=0
builddate=351
installdate=1.7.2011 2:26:34
rnd=2709195991
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://4tag16ag100.com/;hxxps://zna61udha01.com/;hxxps://dg6a51ja813.com/;hxxps://7gaur15eb71.com/;hxxps://ka18i7gah10.com/
wsrv=hxxp://bangl24nj14.com/;hxxp://lkeopee32.com/;hxxp://63.223.106.16/;hxxp://63.223.106.17/;hxxp://iau71nag001.com/;hxxp://baj19kall10.com/
psrv=hxxp://cikh71ynks66.com/;hxxp://clkh71yhks66.com/
version=0.24
All in attach.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Sat Jul 02, 2011 10:33 am

Another article about TDL4 research: http://danuxx.blogspot.com/2011/03/tdss ... art-1.html
User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Sat Jul 02, 2011 1:41 pm

Matrosov wrote in Twitter that ESET update info about TDL botnet - http://www.eset.com/us/resources/white- ... of_TDL.pdf
=)
Post Reply