[Meriadoc]

Some of the long time tdl hosts seemed to have moved on. Someone sent me this although VMs not working after :( so atm although it says v3.273, I'm not sure what advancement this has if any. Various anti-malwares sites blocked including mbam, sb.

[main]
version=3.273
id=
installdate=
reboots=1
[injector]
*=tdlcmd.dll

Indeed contains fully working x64 loader driver.

Interesting, looking for samples, loading new vms.

edit : nothing new here this seems to come from similar sample that EP posted earlier. Modified 3.273 and changed tdlcmd.dll.

[a_d_13]

Indeed contains fully working x64 loader driver.

PatchGuard circumvented?

I cannot confirm for sure, as I do not have a dropper, but based on an analysis of dumped files, yes. This rootkit will work, even if PatchGuard is enabled.

Thanks,
--AD

[xqrzd]

What about driver digital signature enforcement? Have they stolen a digital certificate yet?

[LeastPrivilege]

This rootkit will work, even if PatchGuard is enabled.

Very sad.

[4everyone]

Any clue on how to fix the New Variant/Version of TDL3 ? I do have noticed few pc's in which RKU shows "atapi.sys" as "Suspicious Modification" & RKU doesn't find "Virus alike Modified" file..

RootRepeal Version 2 just shows atapi all over. It doesn't show the Modified entry point. Combofix doesn't have any clue in these pc's.

Bottomline - No clue with all the majestic Tools. :)

As Ex_Off said,
For my above case, Fixmbr command worked like charm. After running Fixmbr, Rku & Root repeal reports clean(nothing suspicious)... Hope it is..

so the fix is just a "Fixmbr" :?: Looks weird.. :o

Mbrcheck is also detecting the Stealth code & displays it like "Fake Mbr Found". I've tried to fix the mbr using the options available in mbrcheck, but was not successful to fix it.

[EP_X0FF]

PatchGuard actually is doing what how it is named: guarding from modifying SSDT/SSSDT, IDT's, GDT's, using kernel stacks not allocated by the kernel, modifying or patching code contained within the kernel itself or the HAL or NDIS dll. As in fact TDL3 is much more PatchGuard friendly than most of security software. If assumptions are correct TDL can use bootkit technique to load itself while operation system initialization, so no digital signatures required at all. This is conceptual bypassing of built-in security. The more interesting thing here - how it installs on x64.

[Meriadoc]

Gleaned this morning,

[main]
version=3.273
quote=Tempers are wearing thin. Let's hope some robot doesn't kill everybody
botid=
affid=
subid=
installdate=21.8.2010 7:55:26
builddate=21.8.2010 5:0:48
rnd=1275210071
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://nichtadden.in/;hxxps://91.212.226.67/;hxxps://li1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/;hxxps://lj1i16b0.com/
wspservers=hxxp://zl00zxcv1.com/;hxxp://zloozxcv1.com/;hxxp://71ha6dl01.com/;hxxp://axjau710h.com/;hxxp://rf9akjgh716zzl.com/;hxxp://dsg1tsga64aa17.com/;hxxp://l1i1e3e3oo8as0.com/;hxxp://7gafd33ja90a.com/;hxxp://n1mo661s6cx0.com/
popupservers=hxxp://clkh71yhks66.com/
version=3.941

Just a conjecture but I wonder if we have been seeing a separate development tree (sold?) with tdl3. A few of my sources have moved on from tdl and I've also seen older versions around.
However, new versions continue the intrigue and very much arouse an interest.

[rossetoecioccolato]

Just a conjecture but I wonder if we have been seeing a separate
development tree (sold?) with tdl3. A few of my sources have moved
on from tdl and I've also seen older versions around.

That is why I asked about the quote: Why would TDL3 suddenly get tired of the movies?

[EP_X0FF]

Probably this is only debug versions :)

"we gonna make our own tdl4! With blackjack and hookers"

lol

[Meriadoc]

A little reading on Pay-Per-Install.

http://www.endlesscorner.com/pay-per-in ... -dirty-way -discusses using P2P sites.
http://www.blackhat.com/presentations/b ... und-wp.pdf -discusses methods and tools.