A forum for reverse engineering, OS internals and malware analysis 

Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)

Forum for analysis and discussion about malware.

Re: Rootkit TDL (alias TDSS, Alureon)

 #4265  by frank_boldewin
 Tue Jan 04, 2011 5:11 pm
this crap only works for me, after direct infection with the dropper.
after reboot it crashes everytime.
further after infection kerneldebugging doesn't work any further with windbg if you don't patch the anti-windbg stuff in driver.

Re: TDL Modifications (PRAGMA and others)

 #4280  by EP_X0FF
 Wed Jan 05, 2011 11:08 am
For everyone who interested in fresh re-crypted samples use this

hxxp://clickcalm.org/any5/4XX-direct

put numbers instead XX (starting from 20) and enjoy. Around 20+ megabytes of droppers is ready to download.

there could be different combinations, I'm sure this malware distribution site contains hundreds samples.

Re: TDL Modifications (PRAGMA and others)

 #4307  by Fyyre
 Thu Jan 06, 2011 7:25 pm
EP_X0FF wrote:For everyone who interested in fresh re-crypted samples use this

hxxp://clickcalm.org/any5/4XX-direct

put numbers instead XX (starting from 20) and enjoy. Around 20+ megabytes of droppers is ready to download.

there could be different combinations, I'm sure this malware distribution site contains hundreds samples.
Domain looking offline. Google for inurl:/any5/ -- I guess.

-Fyyre

Re: TDL Modifications (PRAGMA and others)

 #4320  by EP_X0FF
 Fri Jan 07, 2011 9:04 am
Fyyre wrote:
EP_X0FF wrote:For everyone who interested in fresh re-crypted samples use this

hxxp://clickcalm.org/any5/4XX-direct

put numbers instead XX (starting from 20) and enjoy. Around 20+ megabytes of droppers is ready to download.

there could be different combinations, I'm sure this malware distribution site contains hundreds samples.
Domain looking offline. Google for inurl:/any5/ -- I guess.

-Fyyre
Here droppers if you need
Attachments
pass: malware
(1.28 MiB) Downloaded 157 times

Re: Rootkit TDL (alias TDSS, Alureon)

 #4400  by kiskav
 Tue Jan 11, 2011 4:18 pm
EP_X0FF wrote:Yes, it is some sort of new TDL.

The same I/O filtering, now working for hiding infected volsnap.sys modification.
Here is infected driver sample if somebody want to look. To counteract simple removal it constantly reopens handle for infected driver in queued WorkItem.
Hi Ep_Xoff or any,

Can you please post the Direct Installer , which infects Volsnap.sys file ? I tried downloading all the attachment & cant get it. I might do something wrong as well..

Please guide me to the link or direct Dropper infecting Volsnap.sys.

Re: Rootkit TDL (alias TDSS, Alureon)

 #4408  by EP_X0FF
 Wed Jan 12, 2011 9:51 am
kiskav wrote:
EP_X0FF wrote:Yes, it is some sort of new TDL.

The same I/O filtering, now working for hiding infected volsnap.sys modification.
Here is infected driver sample if somebody want to look. To counteract simple removal it constantly reopens handle for infected driver in queued WorkItem.
Hi Ep_Xoff or any,

Can you please post the Direct Installer , which infects Volsnap.sys file ? I tried downloading all the attachment & cant get it. I might do something wrong as well..

Please guide me to the link or direct Dropper infecting Volsnap.sys.
Posted above. All them work. Virtual machines for malware analysis is not always good idea.

Alureon.S

 #4818  by PX5
 Sun Jan 30, 2011 3:24 am
Different version to me. :?

Antivirus Version Last Update Result
AhnLab-V3 2011.01.27.01 2011.01.27 -
AntiVir 7.11.2.31 2011.01.28 TR/Crypt.XPACK.Gen
Antiy-AVL 2.0.3.7 2011.01.28 -
Avast 4.8.1351.0 2011.01.29 Win32:Alureon-PS
Avast5 5.0.677.0 2011.01.29 Win32:Alureon-PS
AVG 10.0.0.1190 2011.01.29 -
BitDefender 7.2 2011.01.29 -
CAT-QuickHeal 11.00 2011.01.29 -
ClamAV 0.96.4.0 2011.01.29 -
Commtouch 5.2.11.5 2011.01.29 -
Comodo 7531 2011.01.29 -
DrWeb 5.0.2.03300 2011.01.29 -
eSafe 7.0.17.0 2011.01.27 -
eTrust-Vet 36.1.8126 2011.01.28 -
F-Prot 4.6.2.117 2011.01.29 -
F-Secure 9.0.16160.0 2011.01.29 Gen:Trojan.Heur.P.bq6@e8zrigo
Fortinet 4.2.254.0 2011.01.29 -
GData 21 2011.01.29 Win32:Alureon-PS
Ikarus T3.1.1.97.0 2011.01.29 Trojan.WinNT.Alureon
Jiangmin 13.0.900 2011.01.29 -
K7AntiVirus 9.78.3680 2011.01.29 -
Kaspersky 7.0.0.125 2011.01.29 Type_Win32
McAfee 5.400.0.1158 2011.01.29 New Win32.g2
McAfee-GW-Edition 2010.1C 2011.01.29 New Win32.g2
Microsoft 1.6502 2011.01.29 Trojan:WinNT/Alureon.S
NOD32 5830 2011.01.29 a variant of Win32/Olmasco.A
Norman 6.06.12 2011.01.29 -
nProtect 2011-01-18.01 2011.01.18 -
Panda 10.0.3.5 2011.01.29 -
PCTools 7.0.3.5 2011.01.27 -
Prevx 3.0 2011.01.29 -
Rising 23.42.04.06 2011.01.28 -
Sophos 4.61.0 2011.01.29 -
SUPERAntiSpyware 4.40.0.1006 2011.01.29 -
Symantec 20101.3.0.103 2011.01.29 -
TheHacker 6.7.0.1.120 2011.01.26 -
TrendMicro 9.120.0.1004 2011.01.29 -
TrendMicro-HouseCall 9.120.0.1004 2011.01.29 -
VBA32 3.12.14.3 2011.01.29 -
VIPRE 8240 2011.01.29 -
ViRobot 2011.1.29.4282 2011.01.29 -
VirusBuster 13.6.171.1 2011.01.29 -
Additional information
Show all
MD5 : c0d49bc8cae26bc7f239538467aecee5
SHA1 : 551a630fde27d86c95ce0098fd6b868ef09ef598
SHA256: 8ea69ecf31abdd360aa2f3a669fa599efb688a896666dbc4eb7f06951a94906d
Attachments
(36.25 KiB) Downloaded 118 times

Re: Alureon.S

 #4820  by EP_X0FF
 Sun Jan 30, 2011 4:04 am
This driver belongs to TDL3 modification, PRAGMA. Inside this driver located two payload dll's.

Posts merged with main thread about TDL mods.

dlls in attach, respectively Alureon.EN and Alureon.EO
Attachments
pass: malware
(13.28 KiB) Downloaded 106 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 15
 Return to “Malware”