A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2523  by Fabian Wosar
 Mon Aug 30, 2010 3:09 pm
You don't have to submit a driver you want to sign to Microsoft or anything like that. You just get a code signing certificate, download a freely available cross certificate from Microsoft and use both to sign the driver. No waiting time except the time it takes to get the code signing certificate really.

This document outlines the whole process more detailed:
http://www.microsoft.com/whdc/driver/in ... rough.mspx
 #2524  by Fabian Wosar
 Mon Aug 30, 2010 3:16 pm
erikloman wrote:Hitman Pro 3.5.6 build 112 BETA
  • Added removal of TDL3 64-bit rootkit
Download: http://dl.surfright.nl/HitmanPro35beta_x64.exe
Works quite well on my testing systems. Do you replace the MBR with the original copy or do you use a "default" MBR?
 #2533  by sww
 Mon Aug 30, 2010 7:15 pm
It worked. They must have updated it.
Yeap. In product "when it's done" :)
 #2534  by 4r0
 Mon Aug 30, 2010 7:40 pm
Jaxryley wrote:Another sample.
SI3112r.sys - 4/ 40 (10.0%) - MD5 : c09be54c50a1554e041ccf0217507d46
http://www.virustotal.com/file-scan/rep ... 1282952316
VirLab's (Kaspersky) answer:
No malicious code was found in this file.
Best Regards, Kaspersky Lab"
Fabian Wosar wrote:A few more droppers. Essentially there are 2 major variants out there (125,440 and 126,464 bytes large) with each having several further variations. From what I can say so far nothing has changed except the way they are packed in order to fool signature based detections.
Can you share links to the new samples of TDSS x64?
 #2537  by bytejammer
 Mon Aug 30, 2010 8:28 pm
LeastPrivilege wrote:
Latest TDSSKiller v2.4.1.3:
\HardDisk0\MBR - will be cured after reboot
Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure
It worked. They must have updated it.
I downloaded TDSSKiller from here but it failed to fix the MBR on my Windows 7 Professional x64 session. Do you have newer version of TDSSKiller or a different sample (I used this dropper)?
 #2538  by SecConnex
 Mon Aug 30, 2010 8:32 pm
Shall we call this x64 version of TDSS, TDL4?

Seems by that TDSSKiller log, they have gone ahead and named it TDL4.

Also, this is a somewhat new infection routine to directly infect the MBR, instead of an actual system file.
  • 1
  • 11
  • 12
  • 13
  • 14
  • 15
  • 60