Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik) - Page 6

Re: Rootkit TDL 3 (alias TDSS, Alureon)

#2401 by a_d_13
Fri Aug 27, 2010 4:01 pm

Hello,

Symantec has just posted a blog entry here regarding 64-bit TDL.

@Fabian - Thank you for sharing samples :D

Thanks,
--AD

Username

a_d_13

Rank

Global Moderator

Posts

393

Joined

Sun Mar 07, 2010 3:31 am

Re: Rootkit TDL 3 (alias TDSS, Alureon)

#2402 by USForce
Fri Aug 27, 2010 5:24 pm

Has someone of you been able to get a working VM after system restart? Looks like the MBR patch is looping and waiting to find a signature and it doesn't find it. So the system hangs and it doesn't start. Tried on x64 too with VirtualBox and it doesn't start at all

Username

USForce

Rank

Global Moderator

Posts

98

Joined

Mon Mar 08, 2010 9:03 am

Re: Rootkit TDL 3 (alias TDSS, Alureon)

#2403 by IndiGenus
Fri Aug 27, 2010 5:27 pm

Yes, it worked for me with VMWare. Someone had mentioned somewhere (can't remember who or where) that SCSI will do that. Set drive to be an IDE works.

Username

IndiGenus

Posts

13

Joined

Sun Mar 14, 2010 4:17 pm

Contact

Re: Rootkit TDL 3 (alias TDSS, Alureon)

#2404 by USForce
Fri Aug 27, 2010 5:33 pm

What Windows are you using? Windows 7 x64? Which one? (Ultimate,Professional,Home Premium, etc...) and what system language?

Username

USForce

Rank

Global Moderator

Posts

98

Joined

Mon Mar 08, 2010 9:03 am

Re: Rootkit TDL 3 (alias TDSS, Alureon)

#2405 by EP_X0FF
Fri Aug 27, 2010 6:30 pm

Install it on VMWare with IDE type of disk. It must work, my x64 boxes all working well. Actually this is same pain in the back side of the body like with other bootkits earlier.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Rootkit TDL 3 (alias TDSS, Alureon)

#2406 by Implaer
Fri Aug 27, 2010 8:29 pm

USForce

It worked for me with VMWare, SCSI, Windows 7 x64 Ultimate - English (no debug).

Username

Implaer

Posts

6

Joined

Sat Apr 17, 2010 9:10 am

Location

Russian Federation

Contact

Re: Rootkit TDL 3 (alias TDSS, Alureon)

#2409 by cjbi
Fri Aug 27, 2010 9:42 pm

Here's another blog entry from Symantec.
Tidserv’s Boot Methods

Username

cjbi

Posts

92

Joined

Sun Mar 14, 2010 7:16 am

Re: Rootkit TDL 3 (alias TDSS, Alureon)

#2410 by kakaraka
Fri Aug 27, 2010 10:00 pm

Heh, under win7 x64 the user still needs to accept to run the threat as admin. I wonder how many will ignore the UAC message...

Username

kakaraka

Posts

4

Joined

Tue Aug 24, 2010 5:37 pm

Re: Rootkit TDL 3 (alias TDSS, Alureon)

#2411 by Meriadoc
Fri Aug 27, 2010 10:16 pm

x64 Win7 Ultimate (VMware) IDE, working.

64-bit native
- Hitman Pro detects
- TDSSKiller does not
- SUPERAntiSpyware does not

SUPERAntiSpyware v.4.42.1000 Released August 26th, 2010
Technology Changes
• Resolves issue with McAfee and scanning "hang" on 64-bit systems
• Enhanced "smart definitions" system resulting in improved detection of certain threats
• Updated TDSS Detection/Removal Technology
• Updated scanning engine (speed improvements)

SAS has never detected TDL3.

Does Prevx have 64 bit support?

Who controls the past controls the future
Who controls the present controls the past

Username

Meriadoc

Posts

195

Joined

Sat Mar 13, 2010 7:36 pm

Location

Cymru

Re: Rootkit TDL 3 (alias TDSS, Alureon)

#2412 by USForce
Fri Aug 27, 2010 11:25 pm

EP_X0FF wrote:Install it on VMWare with IDE type of disk. It must work, my x64 boxes all working well. Actually this is same pain in the back side of the body like with other bootkits earlier.

VMWare 7.0.1, Windows 7 Professional x64 EN, no debug, IDE disk

After restart, system hangs on "Starting Windows" window and it doesn't go ahead (or it takes ages maybe? I'm not waiting for more than 10 minutes)

Username

USForce

Rank

Global Moderator

Posts

98

Joined

Mon Mar 08, 2010 9:03 am