A forum for reverse engineering, OS internals and malware analysis 

Rootkit TDL 3 (alias TDSS, Alureon.CT, Olmarik)

Forum for analysis and discussion about malware.

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #215  by EP_X0FF
 Mon Mar 15, 2010 7:20 pm
Without active infection in driver file (atapi.sys or any other miniport driver e.g. vmscsi.sys) this data is just encrypted trash.

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #248  by STRELiTZIA
 Tue Mar 16, 2010 7:28 pm
TDL3+ Rootkit catch & debug User-mode thread (tdlcmd.dll)
Flash movie (Rapidshare link)

hxxp://rapidshare.com/files/364244210/TDL3.273_Flash_movie.rar
It is a global approach to try to detect Rootkit presence using only OllyDbg.
also made a code tracing to see global rootkit behavior to choose file name victims.

001C0000 DEC EBP (Initial CPU selection)
001C102D MOV EAX,1C7364 ASCII "111111-111111-111111-111111-111111"
001C1041 MOV EAX,1C7388 ASCII "10000"
001C1234 MOV ESI,1C7398 ASCII "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
001C1339 PUSH 1C73DC ASCII "%s\%s.tmp"
001C13A5 PUSH 1C73E8 ASCII "ObtainUserAgentString"
001C13AA PUSH 1C7400 ASCII "urlmon.dll"
001C1746 PUSH 1C740C ASCII ".dll"
001C178E PUSH 1C7414 ASCII "%s\%s"
001C1989 PUSH 1C741C ASCII "www.google."
001C1994 MOV EBX,1C7428 ASCII "/search"
001C19B7 PUSH 1C743C ASCII "search.yahoo.com"
001C19DE MOV EBX,1C7450 ASCII "?p="
001C1A07 MOV EDI,1C7454 ASCII "&p="
001C1A13 PUSH 1C7458 ASCII "www.bing.com"
001C1A35 PUSH 1C7468 ASCII "www.ask.com"
001C1A46 PUSH 1C7474 ASCII "/web"
001C1A5B PUSH 1C747C ASCII "search.aol.com"
001C1A70 PUSH 1C748C ASCII "/aol/search"
001C1A8D MOV EBX,1C7498 ASCII "?query="
001C1AAE MOV EBX,1C74A0 ASCII "&query="
001C1ACF MOV EBX,1C7434 ASCII "?q="
001C1AF0 MOV EDI,1C7438 ASCII "&q="
001C1B1C PUSH 1C74BC ASCII ".yahoo.com"
001C1B30 PUSH 1C74C8 ASCII ".bing.com"
001C1B3C PUSH 1C74D4 ASCII ".live.com"
001C1B48 PUSH 1C74E0 ASCII ".msn.com"
001C1B54 PUSH 1C74EC ASCII ".ask.com"
001C1B60 PUSH 1C74F8 ASCII ".aol.com"
001C1B6C PUSH 1C7504 ASCII ".google-analytics.com"
001C1B78 PUSH 1C751C ASCII ".yimg.com"
001C1B8B PUSH 1C7528 ASCII "upload.wikimedia.org"
001C1B9D PUSH 1C7540 ASCII "img.youtube.com"
001C1BAF PUSH 1C7550 ASCII ".powerset.com"
001C1BBF PUSH 1C7560 ASCII ".aolcdn.com"
001C1BCF PUSH 1C756C ASCII ".blinkx.com"
001C1BDF PUSH 1C7578 ASCII ".atdmt.com"
001C1BEF PUSH 1C7584 ASCII ".othersonline.com"
001C1BFF PUSH 1C7598 ASCII ".yieldmanager.com"
001C1C0F PUSH 1C75AC ASCII ".fimserve.com"
001C1C1B PUSH 1C75BC ASCII ".everesttech.net"
001C1C27 PUSH 1C75D0 ASCII ".doubleclick.net"
001C1C33 PUSH 1C75E4 ASCII ".adrevolver.com"
001C1C3F PUSH 1C75F4 ASCII ".tribalfusion.com"
001C1C4B PUSH 1C7608 ASCII ".adbureau.net"
001C1C57 PUSH 1C7618 ASCII ".abmr.net"
001C1C6F PUSH 1C74AC ASCII "://"
001C1D21 MOV EBX,1C7624 ASCII "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890"
001C1DCE PUSH 1C7690 ASCII "%s-%s"
001C1E48 PUSH 1C7698 ASCII "%1d.%1d %04d SP%1d.%1d"
001C1EAA PUSH 1C76B0 ASCII CR,LF
001C1ECE PUSH 1C76B4 ASCII "%u|%u"
001C205E MOV EDI,1C74AC ASCII "://"
001C20D5 MOV ESI,1C76C0 ASCII "ver=%s&bid=%s&aid=%s&sid=%s&rd=%s&eng=%s&q=%s"
001C20E1 MOV EDI,1C76BC ASCII "3.7"
001C21B2 PUSH 1C76F0 ASCII "msie 7.0"
001C2239 MOV ESI,1C7704 ASCII "clk=%s&bid=%s&aid=%s&sid=%s&rd=%s"
001C2243 MOV EBX,1C76FC ASCII "1.21"
001C2537 PUSH 1C7728 ASCII "HTTP/1.1 302 Found",CR,LF,"Location: %s",CR,LF,"Content-Length: 0",CR,LF,"Connection: close",CR,LF,CR,LF
001C25A2 PUSH 1C7778 ASCII "<html><head><script type=""text/javascript"">function f(){var url=""%s"";try{var x=document.getElementById(""_a"");x.href=url;x.click()}catch(e){try{var x=document.getElementById(""_f"");x.action=url;x.submit()}catch(e){}}}</script></hea"...
001C25E4 PUSH 1C78B8 ASCII "HTTP/1.1 200 OK",CR,LF,"Cache-Control: no-cache,no-store,must-revalidate",CR,LF,"Content-Type: text/html",CR,LF,"Content-Length: %d",CR,LF,"Connection: close",CR,LF,CR,LF,"%s"
001C263D PUSH 1C7940 ASCII "<html><body onload=""javascript:history.back()""></body></html>"
001C2644 PUSH 1C78B8 ASCII "HTTP/1.1 200 OK",CR,LF,"Cache-Control: no-cache,no-store,must-revalidate",CR,LF,"Content-Type: text/html",CR,LF,"Content-Length: %d",CR,LF,"Connection: close",CR,LF,CR,LF,"%s"
001C2CAA MOV ESI,1C7980 ASCII "http://%s%s"
001C2DDE PUSH 1C798C UNICODE "S:(ML;;NW;;;LW)"
001C307E PUSH 1C74AC ASCII "://"
001C322C PUSH 1C74AC ASCII "://"
001C32A8 PUSH 1C7A0C ASCII "%s http://%s/?xurl=%s&xref=%s"
001C32FD PUSH 1C7A2C ASCII "%s %s"
001C344E PUSH 1C7A34 ASCII "1.5|%s|%s|%s|%s|%s|%s"
001C35B5 PUSH 1C74B0 ASCII ".google."
001C366C MOV EDI,1C7A4C ASCII "?xurl="
001C367F MOV ESI,1C7A54 ASCII "&xref="
001C37B5 PUSH 1C7A5C ASCII "get "
001C37F9 PUSH 1C7A64 ASCII CR,LF,CR,LF
001C3815 PUSH 1C7A6C ASCII " http/1."
001C383A MOV ESI,1C76B0 ASCII CR,LF
001C3846 PUSH 1C7A7C ASCII CR,LF,"host: "
001C385D PUSH 1C74AC ASCII "://"
001C3882 PUSH 1C7A88 ASCII CR,LF,"referer: "
001C3894 PUSH 1C7A94 ASCII CR,LF,"user-agent: "
001C38B3 PUSH 1C7AA4 ASCII "msie 8.0"
001C38CE PUSH 1C7AB0 ASCII "mozilla"
001C38DA PUSH 1C7AB8 ASCII "opera"
001C38F2 PUSH 1C7AC0 ASCII CR,LF,"X-Moz: prefetch",CR,LF
001C3B30 PUSH 1C7A6C ASCII " http/1."
001C3B4D MOV EBX,1C76B0 ASCII CR,LF
001C3B5A PUSH 1C7A7C ASCII CR,LF,"host: "
001C3B71 PUSH 1C74AC ASCII "://"
001C3B97 PUSH 1C7A88 ASCII CR,LF,"referer: "
001C3BC0 PUSH 1C7AD4 ASCII CR,LF,"Content-Type: text/html"
001C3BCA PUSH 1C7AF0 ASCII CR,LF,"Transfer-Encoding: chunked",CR,LF
001C3BE2 PUSH 1C7B10 ASCII CR,LF,"Content-Length: "
001C3BF9 PUSH 1C7B24 ASCII "%d"
001C3C10 PUSH 1C7B28 ASCII "HTTP/1.1 200 OK",CR,LF
001C3DA2 PUSH 1C7B3C ASCII "mswsock.dll"
001C3DC1 PUSH 1C7B48 ASCII "ws2_32"
001C3DD0 PUSH 1C7B50 ASCII "WSAStartup"
001C3DD8 PUSH 1C7B5C ASCII "WSASocketA"
001C3E3F PUSH 1C7B68 ASCII "WSPStartup"
001C3E44 PUSH 1C7B74 ASCII "mswsock"
001C3F0E MOV ECX,1C7B7C ASCII "Mozilla/4.0 (compatible; MSIE 1.0) TDL3"
001C3F24 PUSH 1C7BA4 ASCII "*%s"
001C3F4D PUSH 1C7BA8 ASCII "tasks"
001C3F83 PUSH 1C7BA8 ASCII "tasks"
001C3FAD PUSH 1C7BB0 ASCII "!%s"
001C3FE7 PUSH 1C7BB4 ASCII "%d%d%d%d%d%d"
001C400C PUSH 1C7BA8 ASCII "tasks"
001C409D PUSH 1C7BC4 ASCII "%s.dll"
001C4299 PUSH 1C7BCC ASCII "kernel32.dll"
001C42B4 PUSH 1C7BDC ASCII "kernelbase"
001C4457 MOV EDI,1C7BE8 ASCII ".text"
001C4468 MOV EDI,1C7BF0 ASCII ".rdata"
001C458E PUSH 1C7BF8 ASCII "tdl"
001C4604 PUSH 1C7414 ASCII "%s\%s"
001C4682 PUSH 1C7BFC ASCII "tdlcmd"
001C4699 MOV EDI,1C7C04 ASCII "DownloadCrypted"
001C46B0 MOV EDI,1C7C14 ASCII "DownloadAndExecute"
001C46C7 MOV EDI,1C7C28 ASCII "Download"
001C46DE MOV EDI,1C7C34 ASCII "ConfigWrite"
001C47D1 PUSH 1C7C48 ASCII "%x"
001C4804 PUSH 1C7C4C ASCII "%f"
001C480B PUSH 1C7B24 ASCII "%d"
001C4861 PUSH 1C7C40 UNICODE "%S"
001C4955 PUSH 1C7C50 ASCII "%[^.].%[^(](%[^)])"
001C497E PUSH 1C7C64 ASCII "botnetcmd"
001C4992 PUSH 1C7C70 ASCII "LoadExe"
001C49AD PUSH 1C7BFC ASCII "tdlcmd"
001C49BC PUSH 1C7C14 ASCII "DownloadAndExecute"
001C4A27 PUSH 1C7414 ASCII "%s\%s"
001C4A56 PUSH 1C740C ASCII ".dll"
001C4ADB PUSH 1C7BA8 ASCII "tasks"
001C4B17 PUSH 1C7C78 ASCII "%[^=]=%s)"
001C4BBC MOV ECX,1C7B7C ASCII "Mozilla/4.0 (compatible; MSIE 1.0) TDL3"
001C4C12 PUSH 1C7C84 ASCII "svchost.exe"
001C4C83 MOV DWORD PTR SS:[E ASCII "WinSta0\Default"
001C4CB5 PUSH 1C7BA8 ASCII "tasks"
001C4D6B PUSH 1C7CA0 ASCII "3.741"
001C4D87 PUSH 1C7CA8 ASCII "%s|%s|%s|%s|%s|%s|%s|%s|%s|%s"
001C4E11 MOV ECX,1C7B7C ASCII "Mozilla/4.0 (compatible; MSIE 1.0) TDL3"
001C4E53 MOV ESI,1C7CC8 ASCII "builddate"
001C4E76 PUSH 1C7364 ASCII "111111-111111-111111-111111-111111"
001C4F38 PUSH 1C7388 ASCII "10000"
001C4F64 PUSH 1C7CD4 ASCII "3.x"
001C4FBC PUSH 1C7664 ASCII "software\classes\http\shell\open\command"
001C5135 PUSH 1C7CF4 UNICODE "WebBrowser"
001C558E PUSH 1C7D10 UNICODE "buy"
001C55A0 PUSH 1C7D18 UNICODE "order"
001C55B2 PUSH 1C7D24 UNICODE "basket"
001C5720 MOV EDI,1C7CD8 ASCII "Internet Explorer_Server"
001C5A1D MOV DWORD PTR SS:[E UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"
001C5A59 MOV DWORD PTR SS:[E UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"
001C5AAD PUSH 1C7D78 ASCII "Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION"
001C5ABF PUSH 1C7DCC ASCII "MaxHttpRedirects"
001C5AC4 PUSH 1C7DE0 ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
001C5AD7 PUSH 1C7E1C ASCII "EnableHttp1_1"
001C5ADC PUSH 1C7DE0 ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
001C5AF5 PUSH 1C7E2C ASCII "CurrentLevel"
001C5AFA MOV EBX,1C7E40 ASCII "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"
001C5B0B PUSH 1C7E84 ASCII "1601"
001C5B1C PUSH 1C7E8C ASCII "1400"
001C5B4C PUSH 1C74AC ASCII "://"
001C5B65 MOV ESI,1C7E94 ASCII "http://%s/?xurl=%s&xref=%s"
001C5C75 MOV EAX,1C7EB0 UNICODE "svchost"
001C5D03 PUSH 1C7EC0 ASCII "atl.dll"
001C5D12 PUSH 1C7EC8 ASCII "AtlAdvise"
001C5D1A PUSH 1C7ED4 ASCII "AtlUnadvise"
001C5D27 PUSH 1C7EE0 ASCII "AtlAxCreateControlEx"
001C5D34 PUSH 1C7EF8 ASCII "SysFreeString"
001C5D39 PUSH 1C7F08 ASCII "oleaut32.dll"
001C5D48 PUSH 1C7D34 ASCII "waveOutOpen"
001C5D4D PUSH 1C7D40 ASCII "winmm.dll"
001C5D7D PUSH 1C7D54 ASCII "ole32.dll"
001C5D89 PUSH 1C7D60 ASCII "CoCreateInstance"
001C5DDD MOV DWORD PTR SS:[E UNICODE "svchost"
001C5EF6 MOV ECX,1C7BFC ASCII "tdlcmd"
001C5F04 MOV ESI,1C7F20 ASCII "delay"
001C5F1A MOV ESI,1C7F28 ASCII "retry"
001C5F4A PUSH 1C7CA0 ASCII "3.741"
001C5F4F PUSH 1C7F30 ASCII "version"
001C5F69 MOV ESI,1C7F38 ASCII "clkservers"
001C5F88 PUSH 1C7F44 ASCII "http://clkmfd001.ws/"
001C5FD4 PUSH 1C7F60 ASCII "https://d45648675.cn/;https://d92378523 ... 12.226.65/"
001C6067 MOV ESI,1C7BFC ASCII "tdlcmd"
001C6079 MOV ESI,1C7FA4 ASCII "wspservers"
001C6096 PUSH 1C7FB0 ASCII "http://j00k877x.cc/;http://b11335599.cn/"
001C60B1 MOV ESI,1C7FDC ASCII "popupservers"
001C60CD PUSH 1C7FEC ASCII "http://m3131313.cn/"
001C60E8 PUSH 1C79AC ASCII "{A68D7DE8-EBA6-4a54-90E0-9CB9D93B3ED7}"
001C611C PUSH 1C79D4 ASCII "{CC51461B-E32A-4883-8E97-E0706DC65415}"
001C6129 PUSH 1C79FC ASCII "keywords"
001C6133 PUSH 1C7414 ASCII "%s\%s"
001C6315 MOV DWORD PTR SS:[E UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"
001C63FF MOV EDI,1C8000 ASCII "ntdll"
001C640A PUSH 1C8054 ASCII "kernel32"
001C6414 PUSH 1C7B74 ASCII "mswsock"
001C641E PUSH 1C7B48 ASCII "ws2_32"
001C6428 PUSH 1C8060 ASCII "wsock32"
001C6432 PUSH 1C8068 ASCII "wininet"
001C6455 PUSH 1C8008 ASCII "KiUserExceptionDispatcher"
001C646A PUSH 1C8024 ASCII "ZwProtectVirtualMemory"
001C647F PUSH 1C803C ASCII "ZwWriteVirtualMemory"
001C64DA PUSH 1C7C84 ASCII "svchost.exe"
001C64EE PUSH 1C8070 ASCII "netsvcs"
001C64FE PUSH 1C8078 ASCII "9e6af8f3-75f3-4b67-877a-c80125d7bc08"
001C6534 PUSH 1C80A0 ASCII "*explore*"
001C6540 PUSH 1C80AC ASCII "*firefox*"
001C654C PUSH 1C80B8 ASCII "*chrome*"
001C6558 PUSH 1C80C4 ASCII "*opera*"
001C6564 PUSH 1C80CC ASCII "*safari*"
001C6570 PUSH 1C80D8 ASCII "*netscape*"
001C657C PUSH 1C80E4 ASCII "*avant*"
001C6588 PUSH 1C80EC ASCII "*browser*"
001C6594 PUSH 1C80F8 ASCII "*wuauclt*"
001C65CD PUSH 1C7414 ASCII "%s\%s"

Re: Packed.Win32.TDSS.z

 #253  by EP_X0FF
 Wed Mar 17, 2010 2:33 am
Hello,

1268479347.exe is TDL 3.273 dropper.
[main]
quote=Tempers are wearing thin. Let's hope some robot doesn't kill everybody
version=3.273
installdate=17.3.2010 2:18:39
builddate=13.3.2010 11:22:25
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://zz87jhfda88.com/;https://91.212 ... n4cx00.cc/
wspservers=http://30xc1cjh91.com/;http://j00k877x. ... 3kjf7.com/
popupservers=http://clkh71yhks66.com/
version=3.741
Second file profit.exe is dropper for another malware usually seen together with TDL3.
It drops ngniplr.dll into C:\WINDOWS directory. Then it executes this dll with rundll32 "C:\WINDOWS\ngniplr.dll",Startup and rundll32.exe "C:\WINDOWS\ngniplr.dll",iep
This malicious dll registered as LSA Notification package. Registry key monitored by malware and restored each time I tried to delete it with autoruns.
It is possible to get rid of this malware by using any average antirootkit wipe/delete file functionality.

Unpacked dropper contains following strings
Startup
rundll32 "%s",
t0003.err%08x
t0002.err.size%08x.err%08x
%010d.%08x.%02d.%s.%s.%s.%s.%s._t_i.%s
____ONLOADTEST____ ___________
explorer.exe
rundll32.exe "%s",iep
rundll32.exe "%s",Startup
rundll32.exe
lsass.exe
aeiou
bcdfghklmnprstjvwyqxz
\chrome\content\_cfg.js
/kathell.com
leyeshv.com
ppc:
main:
backup:
maincamp:
backupcamp:
ffppc:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
dsh
http://
ftp://
https://
rundll32
empty
.dll
rundll32.exe "
Notification Packages
SYSTEM\CurrentControlSet\Control\Lsa
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion
kernel32.dll
%s%s.dll
&f=2&delay=%08d
%d.%d.%d.%d
\system32\user32.dll
no loader file found - create new(0x%08x error)
\chrome\content\overlay.xul
\system32\*.dll
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz
/get.php
&aid=
&uid=
&adm=
Iphlpapi.dll
o&mid=
&old_uid=
&binver=99
&osver=%d.%d
&tick=%010d
&proc=
&ldr_e=%1d&clnt_e=%1d
&cndl=
&EOR
saveold
MACHINE\
jjh
plr
Ekemegig
SOFTWARE\Microsoft\Windows\CurrentVersion\Atesupukalegetek
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Atesupukalegetek
C:\WINDOWS\ngniplr.dll
It is also trying to detect virtual machines
VIRTUAL HD
VMWARE VIRTUAL IDE HARD DRIVE
QEMU HARDDISK
VBOX HARDDRIVE
GetAdaptersInfo
Thank you.

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #320  by EP_X0FF
 Fri Mar 19, 2010 3:37 am
Fresh z00clicker variant. Based on original TDL3 (miniport driver IRP handlers callgate-based hooking).

VirusTotal
http://www.virustotal.com/analisis/cdbd ... 1268969624

Configuration file
[main]
botid=xxxx
date=15990040
[injector]
iexplore.exe=z00clicker.dll
firefox.exe=z00clicker.dll
safari.exe=z00clicker.dll
MD5
4bc88ec9520df2e3408da0ae5c7afbcb

SHA1
9b0b248d471c76b416379f7e152d58690e7d37b7

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #334  by Meriadoc
 Fri Mar 19, 2010 1:32 pm
One for the TDL3 detectors & removers list

TDL3 Razor http://www.tizersecure.com/about_TDL3_r ... remove.php

tested with today's build

VT
http://www.virustotal.com/analisis/ca78 ... 1268995131
[main]
quote=Everybody's a jerk. You, me, this jerk. That's just my philosophy
version=3.273
installdate=19.3.2010 12:41:5
builddate=19.3.2010 0:45:1
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://873hgf7xx60.com/;https://34jh7a ... 61.20.132/
wspservers=http://lk01ha71gg1.cc/;http://zl091kha6 ... 4555j.com/
popupservers=http://zxclk9abnz72.com/
version=3.74
delay=7200
clkservers=http://mfdclk001.org/
[tasks]
tdlcmd.dll=
no need to attach file as version has not changed

Result = removed

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #346  by EP_X0FF
 Fri Mar 19, 2010 5:38 pm
Thanks for link, list updated.

I don't tried it, because it is obviously (from screenshots) copy-paste clone of TDSS Remover from Kaspersky Lab.

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #347  by kernelLearner
 Fri Mar 19, 2010 5:48 pm
Hey.. Tested it with tdl3 sample i got.. seems to be working for me. Any info on how these guys are detecting it? Though it looks like kaspersky copy in U/I but i couldnt see any other connection.

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #348  by EP_X0FF
 Fri Mar 19, 2010 5:53 pm
Hello,

They looking for StartIo driver object value. This is one of the methods. Tizer and Kaspersky uses it. But except this TDSS Killer also uses additional methods. Download it and reverse for more info (it even contains debug information).

Regards.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 40
 Return to “Malware”