[Fabian Wosar]

There really are tons of examples out there. One can be found at fyyre's homepage if I remember correctly.

[Every1is=]

This is why intel bought mcafee... I can't think of a better way (?) to protect against this sort of stuff than from a hardware level. And am amazed that it hasn't been done before. Well, not yet even now.
"Antivirus hardware" is nothing new and failed miserably in the past.

Hahaha, :D well, that shows how much I know :D :mrgreen:
Any examples? If that is true, then there must have been made a HUGE leap in functionality and effectiveness. Would intel otherwise buy McAfee for soooooooo much money? (nearly 48 dollars per stock while it hovered around.... what? 30-34 dollars? )

System with user running without admin privs won't get infected by this one?

No, they won't.

WTF? W T F ?

I'm going back to normal User mode. Which will be a bitch then I fear, since I do a lot of tinkering with my systems.

I know its a basic rule, but I had "forgotten" (ignored) it for so long.... I would have thought that the malware of these days surely would be able to infect a system while running as non-admin.

Now I'm wondering: is most malware able or unable to when running as normal user?

[EP_X0FF]

malware able or unable to when running as normal user?

It is able and specially designed rootkits will work, however they can be easily cleaned.

[EP_X0FF]

Well known thick troll "Vitalik" from AV company (name starts with E) post removed. Account banned.
Any other his accounts will be banned immediately as soon as he post again.

[Fabian Wosar]

A few more droppers. Essentially there are 2 major variants out there (125,440 and 126,464 bytes large) with each having several further variations. From what I can say so far nothing has changed except the way they are packed in order to fool signature based detections.

[EP_X0FF]

Yes, seems to be simple repacks

[main]
version=0.02
aid=30136
sid=0
builddate=4096
rnd=823518204
[inject]
*=cmd.dll
[cmd]
srv=hxxps://68b6b6b6.com/;hxxps://61.61.20.132/;hxxps://34jh7alm94.asia;hxxps://61.61.20.135/;hxxps://nyewrika.in/;hxxps://rukkieanno.in/
wsrv=hxxp://lk01ha71gg1.cc/;hxxp://zl091kha644.com/;hxxp://a74232357.cn/;hxxp://a76956922.cn/;hxxp://91jjak4555j.com/
psrv=hxxp://cri71ki813ck.com/
version=0.11

[Buster_BSA]

Thanks for the samples Fabian!

[Fabian Wosar]

Maybe it is helpful for someone: Attached is a little tool I hacked together that dumps files from the TDL-3 storage. It is really primitive and was done in a few minutes. So don't expect anything fancy. Essentially it scans it's own memory for the TDL-3 shell code used for DLL injection. Once found it will use the DLL path of the DLL injection shell code to guess other valid names and tries to copy them to the current working directory.

Source is included.

[4everyone]

Worked for me with Older Versions of TDL3.. Tried with the new mbr thingie, didn't work for me..

[Fabian Wosar]

Worked for me with Older Versions of TDL3.. Tried with the new mbr thingie, didn't work for me..

Are you sure the rootkit is running? I used it for pretty much every single sample I posted on Windows 7 x64 and tried some older samples of TDL-3 on Windows XP as well. But it is still just a dirty hack. So failure is kind of expected.

Can you send me the sample you tried it with and what system you tried it on? Maybe I can adjust it.