[Elite]

Can't wait to see how they go about infecting the x64 machine in the first place and writing the malicious loader to the MBR.

I guess after that it's pretty simple bootkit stuff to inject the x64 driver into kernel at boot, or do some patching to allow it to load "normally".

Time for RkU x64 era too. :lol:

[EP_X0FF]

I guess after that it's pretty simple bootkit stuff to inject the x64 driver into kernel at boot, or do some patching to allow it to load "normally".

Well aside from ldr32/ldr64 this tdl variant also has ldr16, probably used during bootkit work.
Unfortunately no droppers currently available.

[SecConnex]

I imagine these very skilled developers know the Windows kernel in and out, both x86 & x64.

[Buster_BSA]

I wonder if the greatest virus coder of all times (Z0MBie) is involved in the development. I would not be surprised.

[Meriadoc]

Whoever it is we are at a prominent time in rootkit development.

[PX5]

Any tale tell signs of the infection when present, Ive had a series of infections where only one sector of mbr seems affected, usually only sector 5 but sometimes sectors 1 or 2 may appear as affected.

[EP_X0FF]

Thanks to a_d_13 we have memory and TDL FS dumps from infected machines. From preliminary analysis it infects MBR and hides changes (keeps original MBR code on it's own fs). Memory forensic analysis will detect it, as well as kernel debugger. x64 drivers are adapted versions of x32 tdl code. Basic detection suggestions will be the same as in case of x32 TDL3, it still injects dll, it's still uses several hardcoded mutex names, waitable timers and load image notify callback with routine address inside nowhere (outside visible drivers). How good it's hiding MBR changes, well it is hard to say without actual dropper. I'm mostly interested in way, how it infected it.

[PX5]

Code: Select all

[main]
version=3.273
quote=I felt like putting a bullet between the eyes of every panda that wouldn't screw to save it's species. I wanted to open the dump valves on oil tankers and smother all those french beaches I'd never see. I wanted to breathe smoke
botid=22a4b42c-3e5d-4ac6-bc90-5979207c3210
affid=30018
subid=1
installdate=23.8.2010 19:34:48
builddate=20.8.2010 20:54:45
rnd=796845957
knt=1282592859
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://68b6b6b6.com/;https://61.61.20.132/;https://34jh7alm94.asia;https://61.61.20.135/;https://nyewrika.in/;https://rukkieanno.in/
wspservers=http://rudolfdisney.com/;http://crozybanner.com/;http://imagemonstar.com/;http://funimgpixson.com/;http://bunnylandisney.com/
popupservers=http://cri71ki813ck.com/
version=3.941
bsh=065c5117a14fcd61d1a83d958b9fe8da3d598f5e
delay=7200
clkservers=http://lkckclckl1i1i.com/

Well atleast they have a sense of humor :lol:

[rossetoecioccolato]

it still injects dll, it's still uses several hardcoded mutex names, waitable timers and load image notify callback with routine address inside nowhere (outside visible drivers).

It is starting to sound like the s.o.s. Is the memory image available? It would be of interest to me.

[LeastPrivilege]

Welcome to x64 rootkits era.

This is not good. It was only a matter of time though.