Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Forum for analysis and discussion about malware.
User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Post by EP_X0FF » Sat Jul 02, 2011 2:06 pm

rkhunter wrote:Matrosov wrote in Twitter that ESET update info about TDL botnet - http://www.eset.com/us/resources/white- ... of_TDL.pdf
=)
Nice read with good graphics, however it's seems to be slightly outdated (May 2011).
First post updated to include link to this article.
Ring0 - the source of inspiration

User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Post by rkhunter » Sat Jul 02, 2011 5:55 pm

To EP_XOFF:
Outdated? As i saw this new information about features of TDL botnet was taken from blog of David Harley dated at 1 July.

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Post by EP_X0FF » Sat Jul 02, 2011 5:57 pm

This PDF does not covers MS patch bypass. Or this is somewhere mentioned?
Ring0 - the source of inspiration

User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Post by rkhunter » Sat Jul 02, 2011 6:08 pm

To EP_XOFF:
Do you mean patch about export table of kdcom (look 5.3 chapter)? But I mean article features about P2P network using and kad.dll.

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Post by EP_X0FF » Sat Jul 02, 2011 6:12 pm

I mean changes they did in rootkit component and dropper to neutralize KB2506014.
0000C428 result patch, new kdcom.dll export directory size lookup and miniport disk driver hook update for some TDL4 scanners bypass.
Ring0 - the source of inspiration

User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Post by rkhunter » Sat Jul 02, 2011 6:15 pm

5.3 The Windows OS Loader patch (KB2506014)

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Post by EP_X0FF » Sat Jul 02, 2011 6:21 pm

The section 5.3 is the only description of what this KB did.
Current TDL4 successfully neutralized this patch by implementing stuff I described in previous post. This was made in the end of April.
There somewhere Prevx article with more detailed info, but I lost this link :)

Likely this ESET article was written in the middle of April, so it can't cover recent changes, that's why I called it "slightly outdated".
Ring0 - the source of inspiration

User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Post by rkhunter » Sat Jul 02, 2011 6:25 pm

Probably you mean this article from Prevx from 1-st May http://www.prevx.com/blog/172/TDL-rootk ... efore.html =)

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Post by EP_X0FF » Sat Jul 02, 2011 6:26 pm

Yes this one.

Discussed first time here btw

http://www.kernelmode.info/forum/viewto ... 6097#p6097
Ring0 - the source of inspiration

Kobayashi
Posts: 3
Joined: Fri May 27, 2011 3:29 pm

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Post by Kobayashi » Sun Jul 03, 2011 3:36 pm

I am not sure if this one is already on this forum.

If so, you can delete this post.

password "infected"
You do not have the required permissions to view the files attached to this post.

Post Reply