[EP_X0FF]

Matrosov wrote in Twitter that ESET update info about TDL botnet - http://www.eset.com/us/resources/white- ... of_TDL.pdf
=)

Nice read with good graphics, however it's seems to be slightly outdated (May 2011).
First post updated to include link to this article.

[rkhunter]

To EP_XOFF:
Outdated? As i saw this new information about features of TDL botnet was taken from blog of David Harley dated at 1 July.

[EP_X0FF]

This PDF does not covers MS patch bypass. Or this is somewhere mentioned?

[rkhunter]

To EP_XOFF:
Do you mean patch about export table of kdcom (look 5.3 chapter)? But I mean article features about P2P network using and kad.dll.

[EP_X0FF]

I mean changes they did in rootkit component and dropper to neutralize KB2506014.
0000C428 result patch, new kdcom.dll export directory size lookup and miniport disk driver hook update for some TDL4 scanners bypass.

[rkhunter]

5.3 The Windows OS Loader patch (KB2506014)

[EP_X0FF]

The section 5.3 is the only description of what this KB did.
Current TDL4 successfully neutralized this patch by implementing stuff I described in previous post. This was made in the end of April.
There somewhere Prevx article with more detailed info, but I lost this link :)

Likely this ESET article was written in the middle of April, so it can't cover recent changes, that's why I called it "slightly outdated".

[rkhunter]

Probably you mean this article from Prevx from 1-st May http://www.prevx.com/blog/172/TDL-rootk ... efore.html =)

[EP_X0FF]

Yes this one.

Discussed first time here btw

http://www.kernelmode.info/forum/viewto ... 6097#p6097

[Kobayashi]

I am not sure if this one is already on this forum.

If so, you can delete this post.

password "infected"