A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #91  by EP_X0FF
 Fri Mar 12, 2010 3:05 am
Please read this post before you start posting in this thread.

This is thread about TDL3 infection, continuation of sysinternals thread.

There is another special dedicated thread about current TDL rootkit

TDL series common information

First topics with TDSS description:

TDL series was firstly discovered ITW in the middle of 2008. It was firstly mentioned in one of my articles at rootkit.com
Rootkit Unhooker v3.8 It's Past, Present and Future of the NTx86 Rootkit Detection
as one of the most dangerous rootkits available at that time.

TDL 1 (analysis by A_D_13)
Interesting new malware
Was using dirty tricks (FSD filter) to bypass RAW mode access to harddisks, especially for antirootkits.

TDL 2/2+ (analysis by A_D_13)
Interesting new malware, part 2
Introduced new aggressive self-protection, based on filtering IofCompleteRequest, IofCallDriver by whitelist of
access allowed drivers (rootkit was looking at call stack).

Currently has numerous copy-past clones:

4DW4R3 (aka BackDoor Triplex)

More info about 2 generation of this rootkit
TDSS analysis by eSage lab - RU
Case study: the TDSS rootkit - EN

TDL 3 (First appearance)
Rootkit TDL3 (TDL Reloaded)
Switched to virus alike behavior, hooking of miniport disk driver.

TDL 3 (analysis by t4L)
TDL3 - Why so serious? Let's put a smile on that face .. (dead link, use attach)

TDL 3/3+ (analysis by Dr.Web)
Russian PDF
English PDF
In this article also mentioned updated TDL3 version, switched from IRP handlers hooking to using special device object.

Note: all others papers from antivirus companies mostly copy-past of posted above.

TDL 3/3+ (analysis by ESET)
http://www.eset.com/resources/white-pap ... alysis.pdf
Covered latest available 3.27+ version ("random" driver infector), TDL fs structure and encryption.

TDL Family (analysis from Kaspersky Lab)
Russian http://www.securelist.com/ru/analysis/208050642/TDSS
English http://www.securelist.com/en/analysis/204792131/TDSS
Interesting info is about commercial part of all this story, affid and others are covered :).

TDL3 story from F-Secure
http://www.f-secure.com/weblog/archives ... f_TDL3.pdf

TDL4, Alureon: The First In The Wild 64-Bit Windows Rootkit
http://www.virusbtn.com/pdf/conference_ ... VB2010.pdf

In the middle of February 2010 this rootkit was revealed for significant number of it's victims.
After applying MS10-015 patch due to restrictions of TDL3 rootkit (several hardcoded values) machines with this rootkit installed became
unbootable (infinite loop of Blue Screens).

TDL 3 contained 2 ITW detected variants.

1. Main front-end rootkit with huge botnet. (user mode payload - tdlcmd.dll, TDL C&C library)
Contains two generations and about ~30 actual subversions, at moment of this topic starting, latest available was v3.273 (3 update of 27 version)

2. z00clicker.dll variant, based on the first TDL3 generation (z00clicker.dll is user mode payload C&C library)
Contains two generations including debug beta version (creates debug.txt while running).

TDL team playing in cat-mouse game with AV companies breaking detection by their special tools.

3.24 locked infected file at disk
3.25 fixed MS10-015 Blue Screen of Death
3.26 removed file locking
3.27 bypassed SPTI-based detectors (1.6 version of TDSSRemover, HitmanPro previous version)
3.271 bypassed bithack used by Kaspersky Lab in their TDSSKiller
3.272 added code integrity checking not allowing using bithacks
3.273 bypassed several detectors again (improved I/O filtering)
3.273 April 2010 edition, changed infection scheme resulting in bypassing most of public removers/detectors
4.0x August 2010 edition, TDL evolves to x64 (switched to bootkit techniques)

User mode component of this rootkit can be updated and usually it is updating independently from rootkit itself.
tdlcmd.dll contains configuration information (servers list) and handy routines to control behavior of the rootkit.
Rootkit can download additional files and store them inside it's own encrypted file system.
However infection itself can't be updated in current version of this rootkit.

TDL3/4 detectors & removers available for download
(+) latest TDL version removal supported Please note that none of this tools does not gives guarantee of successful removal.

TDL3 affid (Affiliated id) description
  • 20106 - rootkit installed with help of fake codecs
  • 10438 - rootkit installed with help of cracks / keygens
  • 11418 - rootkit installed with help of cracks / keygens (keygen.name as example)
  • 20273 - rootkit installed through exploits
Thread posting rules
  • 1. TDL samples must be archived and password-protected. Pasword can be "infected" or "malware".
    All other samples can be deleted by administration without notice.

    2. Please avoid of posting links to TDL fresh sites to keep them alive for harvesting.

    3. Please do not post identical samples and links to out-dated information about TDL3

    4. Please stay on topic (off-topic posts can be deleted without any notice).
Note: Unauthorized users can't download and see attachments.

Your contribution in reversing and harvesting this rootkit --> highly welcomed.
Thanks :)
TDL 3 (analysis by t4L) PDF copy from rootkit.com
(779.03 KiB) Downloaded 100 times
 #140  by ConanTheLibrarian
 Mon Mar 15, 2010 1:38 am
When the tools become obsolete because of a brand new update to TDL3, I fall back on manually taking atapi.sys offline by using the same file renamed and changing registry keys to load it instead. This has always worked for me and I am able with 1 reboot to take the infection "offline" and replace the infected atapi while in windows. Then I just reverse the process with the registry keys and reboot again to load the clean atapi.
 #161  by gjf
 Mon Mar 15, 2010 10:46 am
Actually you don't even need to store original atapi.sys because it is almost similar for all SPs of Windows (but possibly different for XP-Vista-Seven). I have an infection yesterday (quite stupid - just testing new Tdss.ayec). Looks like that version don't love my system (SPTD conflict???) so it dropped down to BSOD during booting. Safe Mode worked only one time with hanging up all the following.

So what I've performed: simply boot using ERD Commander and restore the original atapi using System File Restore. It cured everything. Surely crypted partition still persists on HDD but nobody cares :)
 #194  by EP_X0FF
 Mon Mar 15, 2010 5:16 pm
Surely crypted partition still persists on HDD but nobody cares
Yes :) This is not harmful for system.

Indeed sometimes TDL3 does not working well after infection stage. Reboot leads to nowhere - blue screens, blue screens etc.
 #198  by EP_X0FF
 Mon Mar 15, 2010 5:43 pm

Thanks for mention Norman tool. I didn't included it in list, because was unsure about it usefulness.
Is it capable with removal or detection of last TDL3 version?

 #201  by markusg
 Mon Mar 15, 2010 5:53 pm
i try it last time in february.
at some pcs it make problems, but it works better as at the beginning. :-)
Lars Haukli the autor fix problems very quickly.
 #202  by EP_X0FF
 Mon Mar 15, 2010 5:56 pm
Ok, thanks again. I'm updating first post to include Norman tool.
Perhaps somebody will test it against last TDL3 and post results :)
 #213  by LeastPrivilege
 Mon Mar 15, 2010 7:14 pm
Surely crypted partition still persists on HDD but nobody cares
Does anyone know if the crypted partition causes any problems down the road after the infection is removed? What I mean is, a new reinfection later on since the partition is still there. I haven't seen any evidence of this so far.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 40