[markusg]

this was downloaded by other malware, if the other malware is needed, i will upload.
http://www.virustotal.com/file-scan/rep ... 1291727036

[EP_X0FF]

this was downloaded by other malware, if the other malware is needed, i will upload.
http://www.virustotal.com/file-scan/rep ... 1291727036

This one with Windows Task Scheduler Privilege Escalation (CVE: 2010-3888) exploit on board. BTW NtConnectPort trick was in TDL dropper for about month since beginning of November (http://www.kernelmode.info/forum/viewto ... 3406#p3406).

[main]
version=0.03
aid=30020
sid=0
rnd=117609710
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://rukkeianno.com/;hxxps://kangojim1.com/;hxxps://lkaturi71.com/;hxxps://neywrika.in/;hxxps://86b6b6b6.com/
wsrv=hxxp://skolewcho.com/;hxxp://jikdooyt0.com/;hxxp://swltcho81.com/;hxxp://switcho81.com/;hxxp://rammyjuke.com/
psrv=hxxp://cri71ki813ck.com/
version=0.15

[frank_boldewin]

http://www.securelist.com/en/blog/337/T ... nerability

can someone plz share a tdl4 sample using the stuxnet task sched 0day used for privilege escalation?

[frank_boldewin]

http://www.securelist.com/en/blog/337/T ... nerability

can someone plz share a tdl4 sample using the stuxnet task sched 0day used for privilege escalation?

http://www.kernelmode.info/forum/viewto ... 3862#p3862

ops, sorry for being so blind and thanx for sharing.

[Jaxryley]

Sample.

!http://ibolijaatypyhyp.publicvm.com/lan ... .32.20.exe

adobeflashplayerv10.0.32.20.exe - 16/43 - Avast - Win32:Alureon-MO - MD5 : daa86ff09f606dba53cd73d417adb39e

adobeflashplayerv10.0.32.20.rar

Pass:
infected
(126.48 KiB) Downloaded 85 times

[EP_X0FF]

http://www.virustotal.com/file-scan/rep ... 1292082751

Hurricane Dean was the strongest tropical cyclone of the 2007 Atlantic hurricane season. It was the most intense Atlantic hurricane since Hurricane Wilma of 2005, tying for seventh overall. Additionally, it made the third most intense Atlantic hurricane landfall.

[main]
version=0.03
aid=40024
sid=1
rnd=527237240
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://nl6fa53.com/;hxxps://li1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/;hxxps://lj1i16b0.com/
wsrv=hxxp://ijmgwareh0use.com/;hxxp://cljkcpixelabn.com/;hxxp://thynksn0taeg.com/;hxxp://jimgwareh0use.com/;hxxp://bestbanerget.com/;hxxp://pxlratator.com/
psrv=hxxp://cikh71ynks66.com/;hxxp://clkh71yhks66.com/
version=0.15

[sww]

Small article by me about TDL4.

English version will be available later (in a middle of Jan, maybe :).

[Blur]

The same stuff as in old M$ article. Alureon 've stoped usin' PsSetLoadImageNotifyRoutine in ldr32/64 a long time ago... Why rip someone just to make an article ?

[a_d_13]

Small article by me about TDL4.

English version will be available later (in a middle of Jan, maybe :).

Here is the article translated with Google Translate. It does a pretty good job ;)

Thanks,
--AD

[EP_X0FF]

@Blur
Yes it old, if you take a look on TDL version described in this article, it is 0.02
v0.02 indeed was using LoadImage notify callback in ldr drivers :)
I see nothing criminal in additional papers about TDL. It is definitely better than total silence like it was few years ago.