A forum for reverse engineering, OS internals and malware analysis 

Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Forum for analysis and discussion about malware.

Re: Malware Requests

 #7053  by freyr
 Mon Jul 04, 2011 5:38 am
Hi, can anyone share socks.dll, r.dll, kad.dll from TDL4?

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

 #7099  by freyr
 Wed Jul 06, 2011 1:45 pm
Ok guys, if nobody want to share extended tld4 plugins, just tell me why when I'm starting bot at VM for few days I've got nothing new in the hidden drive. It is possible that C&C gives plugins only after some long time ?

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

 #7100  by EP_X0FF
 Wed Jul 06, 2011 2:17 pm
You can try with different affiliates. The more you setup - better. I was running ~30 machines 24/7 when collecting TDL3.

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

 #7147  by EP_X0FF
 Fri Jul 08, 2011 2:32 pm
Brookit wrote:Any experiences?
Aside from question what they put in 10MB, it is working, TDL removed, x64 Windows 7.

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

 #7161  by EP_X0FF
 Sat Jul 09, 2011 6:39 am
Here some fresh TDL4

Archive includes full data dump + decrypted kad.dll collected by one of our crawlers.
[main]
version=0.03
aid=30254
sid=0
builddate=351
installdate=9.7.2011 0:26:0
rnd=2049760794
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.11
tdlcmd i386 is v0.24.
Attachments
pass: malware
(471.47 KiB) Downloaded 158 times

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

 #7164  by Eric_71
 Sat Jul 09, 2011 1:34 pm
tdlcmd i386 is v0.24.
since few minutes v0.25
[main]
version=0.03
aid=30254
sid=0
builddate=351
installdate=27.6.2011 12:31:7
rnd=2643152403
knt=1310217593
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.25
bsh=8587ea88dc53ae42fb66b80feba706addb479797
dlc_srand=74
delay=7200
[tasks]
Attachments
pass: malware
(28.51 KiB) Downloaded 80 times

Re: Malware Requests

 #7276  by rough_spear
 Thu Jul 14, 2011 3:17 pm
Hi freyr,
I have some files such as spr.dll and lnk.dat but not sock.dll from TDL4 8-)
cfg.ini
Code: Select all
[main]
version=0.03
aid=68
sid=1
builddate=351
installdate=5.7.2011 18:25:59
rnd=1993962763
knt=1310143600
[inject]
*=cmd.dll
* (x64)=cmd64.dll
svchost.exe=spr.dll
[cmd]
srv=https://i0m71gmak01.com/;https://0imh17agcla.com/;https://jna0-0akq8x.com/
wsrv=http://u-a-d-1come.com/;http://z0a-adotcom.com/;http://61zra71kf-a.com/
psrv=http://amazeyapcell.com/;http://8hqka--acom.com/
version=0.1763
bsh=aa7af9760337d794b85c357ca354aa8be42dbd51
delay=3600
spr.dll

MD5 : 02be880e5f7d7dd01531f6cae8112e01
SHA1 : 1a0b55c194cf34772a3846a1b5274fd84629b9f8
SHA256: cb151f40b776fe85761fa6bdcbb509c2f6e557a6c46bb6c2a128bf74c55f856b

virustotal:
http://www.virustotal.com/file-scan/rep ... 1310656130


freyr wrote:Hi, can anyone share socks.dll, r.dll, kad.dll from TDL4?
file name - TDL4.7z
Password - malware

Regards,

rough_spear
Attachments
File name - TDL4.7z
password - malware
(228.76 KiB) Downloaded 124 times
Last edited by EP_X0FF on Fri Sep 30, 2011 7:36 am, edited 1 time in total. Reason: code tags added
  • 1
  • 48
  • 49
  • 50
  • 51
  • 52
  • 60
 Return to “Malware”