A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2705  by SecConnex
 Wed Sep 08, 2010 7:19 pm
Thanks for confirming fatdcuk...

I can confirm the user I am helping has not had a history of the TDL infection.

Although, the TDL infection may institute a router exploit... the malware is probably being downloaded and executed via TDL3.

I would doubt that TDL authors would make their information so open, like these IP addresses show it...


Take a look there at one example IP address on its range: -

I am getting ready to PM MysteryFCM to have that added to hpHosts, since we have confirmed the addresses to be rogue DNS servers.
 #2706  by Crush
 Wed Sep 08, 2010 7:57 pm
Anyone know if this is just limited to home users or are the TDL morons really getting brave and going after corporate routers?
 #2707  by SecConnex
 Wed Sep 08, 2010 8:03 pm
Any router is infected.

No computer is 100% safe from malware threats, not even corporate networked computers. Actually, some corporations have a lot of trouble with malware. Which is why enterprise selling of antivirus products is so at-large.
 #2713  by InsaneKaos
 Thu Sep 09, 2010 1:54 pm
Maybe it possible, that TDL is sometimes hosting other Malware under its stealth. For expample: There is a malwareauthor who has written some crap, that changes the DNS of the router and he is willing to pay for the stealthy ability of TDL. So the Botmaster of a botnet adds this DNS-Changer to the TDL hidden filesystem and runs it from there. That could be a reason, why sometimes there are TDL infections with DNS changing ability and someteimes not.
 #2746  by InsaneKaos
 Mon Sep 13, 2010 1:38 pm
Looks like tdlcmd.dll has a new version
quote=Tempers are wearing thin. Let's hope some robot doesn't kill everybody
installdate=13.9.2010 13:17:1
builddate=13.9.2010 13:1:3
Dropper is unknown to any AVs

VT Dropper = http://www.virustotal.com/file-scan/rep ... 1284383726
VT tdlcmd.dll = http://www.virustotal.com/file-scan/rep ... 1284383917
You do not have the required permissions to view the files attached to this post.
 #2755  by LeastPrivilege
 Wed Sep 15, 2010 4:29 pm
1. Installed SAS v4.43.1000

"Updated TDSS Detection/Removal Technology"
"Updated definition (smart) heuristic engine"

2. Ran a scan on a TDL3 infected test box.

"No malicious items detected"

SAS is still blind.
  • 1
  • 20
  • 21
  • 22
  • 23
  • 24
  • 60