A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2439  by Every1is=
 Sat Aug 28, 2010 11:21 am
Fabian Wosar wrote:
Every1is= wrote:This is why intel bought mcafee... I can't think of a better way (?) to protect against this sort of stuff than from a hardware level. And am amazed that it hasn't been done before. Well, not yet even now.
"Antivirus hardware" is nothing new and failed miserably in the past.
Hahaha, :D well, that shows how much I know :D :mrgreen:
Any examples? If that is true, then there must have been made a HUGE leap in functionality and effectiveness. Would intel otherwise buy McAfee for soooooooo much money? (nearly 48 dollars per stock while it hovered around.... what? 30-34 dollars? )
Every1is= wrote:System with user running without admin privs won't get infected by this one?
No, they won't.
WTF? W T F ?

I'm going back to normal User mode. Which will be a bitch then I fear, since I do a lot of tinkering with my systems.

I know its a basic rule, but I had "forgotten" (ignored) it for so long.... I would have thought that the malware of these days surely would be able to infect a system while running as non-admin.

Now I'm wondering: is most malware able or unable to when running as normal user?
 #2441  by EP_X0FF
 Sat Aug 28, 2010 12:17 pm
Every1is= wrote:malware able or unable to when running as normal user?
It is able and specially designed rootkits will work, however they can be easily cleaned.
 #2445  by EP_X0FF
 Sat Aug 28, 2010 12:52 pm
Well known thick troll "Vitalik" from AV company (name starts with E) post removed. Account banned.
Any other his accounts will be banned immediately as soon as he post again.
 #2450  by Fabian Wosar
 Sat Aug 28, 2010 1:28 pm
A few more droppers. Essentially there are 2 major variants out there (125,440 and 126,464 bytes large) with each having several further variations. From what I can say so far nothing has changed except the way they are packed in order to fool signature based detections.
Attachments
Password: infected
(361.25 KiB) Downloaded 123 times
 #2451  by EP_X0FF
 Sat Aug 28, 2010 1:38 pm
Yes, seems to be simple repacks
[main]
version=0.02
aid=30136
sid=0
builddate=4096
rnd=823518204
[inject]
*=cmd.dll
[cmd]
srv=hxxps://68b6b6b6.com/;hxxps://61.61.20.132/;hxxps://34jh7alm94.asia;hxxps://61.61.20.135/;hxxps://nyewrika.in/;hxxps://rukkieanno.in/
wsrv=hxxp://lk01ha71gg1.cc/;hxxp://zl091kha644.com/;hxxp://a74232357.cn/;hxxp://a76956922.cn/;hxxp://91jjak4555j.com/
psrv=hxxp://cri71ki813ck.com/
version=0.11
 #2458  by Fabian Wosar
 Sat Aug 28, 2010 2:50 pm
Maybe it is helpful for someone: Attached is a little tool I hacked together that dumps files from the TDL-3 storage. It is really primitive and was done in a few minutes. So don't expect anything fancy. Essentially it scans it's own memory for the TDL-3 shell code used for DLL injection. Once found it will use the DLL path of the DLL injection shell code to guess other valid names and tries to copy them to the current working directory.

Source is included.
Attachments
(31.74 KiB) Downloaded 107 times
 #2460  by Fabian Wosar
 Sat Aug 28, 2010 3:33 pm
4everyone wrote:Worked for me with Older Versions of TDL3.. Tried with the new mbr thingie, didn't work for me..
Are you sure the rootkit is running? I used it for pretty much every single sample I posted on Windows 7 x64 and tried some older samples of TDL-3 on Windows XP as well. But it is still just a dirty hack. So failure is kind of expected.

Can you send me the sample you tried it with and what system you tried it on? Maybe I can adjust it.
  • 1
  • 7
  • 8
  • 9
  • 10
  • 11
  • 60