Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik) - Page 60

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

#19280 by EP_X0FF
Wed May 15, 2013 4:02 pm

TDL4 clones.

SHA1

065d563acc3cfa7154f8b9e0529ade42b9aab978
ba2f0ce88c4d6dc49445af71f2aead9dbeb73104
bb5c6b439ae76c36e4a165c7643f8273ac686a16
c020e2828efbe477ea9cac010d440a49edcc9716
cd46aeca6828792bf51c8b0f0c8a13b3c9810e33

Attachments

alureon.rar

pass: infected
(918.84 KiB) Downloaded 190 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

#19471 by EP_X0FF
Thu May 30, 2013 2:30 am

Alureon based trojan downloader, uses original TDL4 dropper (spooler injection, scheduler exploit - CVE-2010-3888, HIPS "ZwConnectPort" bypass) as platform.

Call home: agertioned.com (unavailable)

SHA256: f3361462f41cf5d4deed536ee1e81f8a67b7ffe03b94af99800c950caa2986aa
SHA1: 0bf188adc65a9ff9c267331c9c52457b9c2b53f2
MD5: 1508be0180316cac932dc70780ca7b94

https://www.virustotal.com/en/file/f336 ... /analysis/

Attachments

0bf188adc65a9ff9c267331c9c52457b9c2b53f2.rar

pass: infected
(39.9 KiB) Downloaded 129 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

#19472 by EP_X0FF
Thu May 30, 2013 3:01 am

Few more Alureon droppers, this time with classic TDL4 rootkit.

SHA1

Code: Select all

0e84a749c3c066bfa1f5dc2ef018cf6c7f7ad415
11b8350cd652268e91db566b8e8fa6e3a98de0ff
11ffe008e024157ba1803d58dc3f86b6c2fa1cda
28459404426ea56536fdb8dd7e3c8a309e594c8a
2d5007b3bc7c60959956efccef6fbece337a9bd1
401a50f0582a1b568fc052b5e5523a883b79bc44
4c93b38a571e2626f419a2b79f6bba71ae783a47
4e94c6dacce8aa84ba7e277b3160bb7d76df0930
61611632c7099440818b561f78a432576201afb0
7f2b0acae0f95e15aa20e4926f7259cac622f73d
7f5dee89c9e95aef29ce2d12a5e24740c85d9652
8072bb24b40d7d5110995725fb701977e616a7aa
808d9239cefa2cae9e43429209998e506ce3dfb2
8213a4f39fd2453ecb3e417025e435cd760e5ecb
880504006c58e1014a8f0e92d69ec6fa0359543b
8ab7a97e6cee2deacb28ddc69e892b17114e1437
a763efb742d8c03cba16998611549b03d8eb20d3
b0c3e3742cb874326fc5c011bdf1360ec7dc6845
c2aea90c3c2330bddcd38324b714a3ae61149746
c4145c1cdc257776fc5bb03e22031c49a66fd7d5
c47629d0aa7d52af313f1c8d3524f68f6d6a532d
d1cc4b3b9d88b6e3d3557d4a0e92cbc6713fea34
dd7f8c48c75a4d05ad84411cb6fa0e1143f842f9
e03df3ff196b5ead1acb3a285f319c7d4f72f175
e0592aa2af4c1802b515dbb820bf1c564002f62c
e2489159d050745414b53110b911024af7a80206
e96bfae511c8d94213f5827175a6c8e159fce0e4
ff142c3f89ef3ae7cc81661df9c2c65d9385bde4

Attachments

tdl4.rar

pass: infected
(3.61 MiB) Downloaded 209 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

#19540 by EP_X0FF
Tue Jun 04, 2013 7:54 am

R136a1 wrote:New TDL Clones in the Wild: http://labs.bitdefender.com/2013/04/new ... -the-wild/

First appearance http://www.kernelmode.info/forum/viewto ... 631#p18631
https://twitter.com/hFireF0X/status/316521593432068097

84736594 -> mbr
37261034 -> ldr16
76294631 -> ldr32
29475857 -> ldr64
73646583 -> drv32
99283465 -> drv64
29040893 -> cmd32
92530198 -> cmd64
26836472 -> cfg.ini

Config

[35269824]
10087567=14
17463024=67890
[57489382]
80239827=29040893
19273540=92530198
[71026474]
68657233=
45935867=
70129485

Attachments

Malware.rar

pass: infected
(305.3 KiB) Downloaded 200 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)

#20981 by p4r4n0id
Thu Sep 26, 2013 6:52 pm

New TDL dropper variants exploit CVE-2013-3660 ( EPATHOBJ vuln.)

SHA1: abf99c02caa7bba786aecb18b314eac04373dc97

http://www.f-secure.com/weblog/archives/00002612.html

p4r4n0id

Attachments

TDL-CVE-2013-3660.rar

pwd: infected
(231.68 KiB) Downloaded 141 times

Keep Low. Move Fast. Kill First. Die Last. One Shot. One Kill. No Luck. Pure Skill.
http://p4r4n0id.com/

Username

p4r4n0id

Posts

126

Joined

Thu Sep 22, 2011 11:36 am

Location

Israel

Contact

Re: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)

#20985 by EP_X0FF
Fri Sep 27, 2013 3:23 am

That's actually not a *new* TDL or anything new in general. This is the same copy-paste variant -> http://www.kernelmode.info/forum/viewto ... 540#p19540 unrelated to MaxSS fork. 2013-3660 copy-pasted in PowerLoader (well everybody now has it source) and now in this low quality crap as they seems just share same codebase.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact