[EP_X0FF]

In attach you will find tdl3 droppers collected by me during tdl3 hunting from september 2009 till end of march 2010. Because they are not useful for me (since detection/removal methods were developed) I decided to upload it here because I know very well how hard it sometimes obtain rootkit samples.

There maybe some duplicate droppers (the same version, all md5 stamps are different).
Archive including old first tdl3 generation samples, z00clicker samples (including one most recent) and tdl3 second generation samples:

• 3.17
• 3.20
• 3.22
• 3.23
• 3.24
• 3.241
• 3.25
• 3.26
• 3.27
• 3.271
• 3.272
• 3.273

maybe more old I simple don't remember.
All samples dated by time when they were added to my database not their release date. Non filtered database currently contains ~1000 tdl3 droppers (most of them just a re-crypts of 3.2xx version) and I'm doing some cleanup.

[EP_X0FF]

Debug (?) version of tdl3 dropper. Displaying detailed information into debug output while running and creating debug.txt file on system disk.

VirusTotal
http://www.virustotal.com/analisis/00b1 ... 1270015651

strings from unpacked dropper

!!!patched affid: %d %s %d !!!patched affid: %d InitDriver() .people z00clicker.dll ConfigureDriver() %s %s %d config.ini ConfigureDriver() %s %s botid main %d date: %d date iexplore.exe injector firefox.exe safari.exe domain used: %s keynots.com %d.%dX%s;%d;%d http://%s/k.php %s to %s crypted sended WinDefend MSASCui.exe DisableAntiSpyware SOFTWARE\Policies\Microsoft\Windows Defender %s %d \%08x.tmp copy+fixup ok .moomoo printer added cant addprinter DllMain() driver getted .sys a=%08x status=%08x driver loaded tumbao starting with netfred DllMain() end MainPoint() ExeMain() DhcpNameServer NameServer SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%s %d.%d.%d.%d,%d.%d.%d.%d DNSSERVERS: %s
%d <%s> </%s>
BйL09nШ@”:№ДњФхЉ‰чДК2FўмЪетіF˜мb'kJўjЛ`4bТъOжµЕВNDЈы^ ЂP/index.asp /dlink/hwiz.html / /home.asp /wizard.htm GET %s HTTP/1.0

WWW-Authenticate: Basic realm= InstallDate SOFTWARE\Microsoft\Windows NT\CurrentVersion %X%X%X%X default urn:schemas-upnp-org:service:WANIPConnection:1 urn:schemas-upnp-org:service:WANPPPConnection:1 none %s;%s;%s;%s;%s;%d;%s;%s;%d;%s;%s hxxp://93.174.90.26/ die LOCATION: // SERVER: urn:schemas-upnp-org:device:InternetGatewayDevice:1 239.255.255.250 M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
ST: %s
MAN: "ssdp:discover"
MX: %d

manufacturer modelName modelNumber controlURL http http://%s:%d%s <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:AddPortMapping xmlns:m="%s"><NewRemoteHost xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string"></NewRemoteHost><NewExternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui2">%d</NewExternalPort><NewProtocol xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">TCP</NewProtocol><NewInternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui2">%d</NewInternalPort><NewInternalClient xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">%s</NewInternalClient><NewEnabled xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="boolean">1</NewEnabled><NewPortMappingDescription xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">TCP</NewPortMappingDescription><NewLeaseDuration xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui4">0</NewLeaseDuration></m:AddPortMapping></SOAP-ENV:Body></SOAP-ENV:Envelope> SOAPAction: "%s#AddPortMapping" <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:GetExternalIPAddress xmlns:m="%s"></m:GetExternalIPAddress></SOAP-ENV:Body></SOAP-ENV:Envelope> SOAPAction: "%s#GetExternalIPAddress" NewExternalIPAddress Content-Type: application/x-www-form-urlencoded %s
%s POST Authorization: Basic %s GET NetFriendContainer %X admin Admin Adminstrator 1234 root router Afaq_shamel Articonet Firmware Conf alice bewan comcast cusadmin manager sweex telekom tmadmin Vodafone Password pass password administrator 0 0P3N 12345 123456 a a6a7wimax adslnadam adslroot airlive atlantis cableroot cciadmin conexant ecom epicrouter friend hamlet hayesadsl highspeed hsparouter motorola mysweex password1 sitecom46 sky smcadmin stccpe_2007 telus telus177 trendchip ttnet utstar vodafone zoomadsl %s:%s advapi32.dll CredFree CredEnumerateA abe2869f-9b47-4cd9-a358-c22904dba7f7 %ws h t t p : / / % S / Software\Microsoft\Internet Explorer\IntelliForms\Storage%d %S pstorec.dll PStoreCreateInstance : S t r i n g D a t a %ws:%ws http://%s%s \ t d e v \\?\globalroot%wZ\%s %08x%s winsta0 explorer.exe explorer.exe pid = %d Impresonate as explorer ok (%d) system\currentcontrolset\services\%s \registry\machine\%s start type \??\%s imagepath

example of debug output

0.00000000 [1168]
0.00000000 [1168] 1168 MainPoint()
0.01503655 [1168]
0.01503655 [1168] 1168 DllMain()
0.01514047 [1168]
0.01514047 [1168] 1168 DNSSERVERS: 93.188.163.54,93.188.166.137
0.01622469 [1168]
0.01622469 [1168] 1168 domain used: conrtours.com
0.01635320 [1168]
0.01635320 [1168] 1168 5.1X320A17432D94E907323E04BE4B602AE2;1;0 to hxxp://conrtours.com/k.php
0.01644008 [1168]
0.01644008 [1168] 1168 crypted
0.03013791 [1168]
0.03013791 [1168] 1168 sended
0.03182974 [1168]
0.03182974 [1168] 1168 driver getted
0.03192193 [1168]
0.03192193 [1168] 1168 C:\WINDOWS\TEMP\00003773.sys
0.10450937 [1168]
0.10450937 [1168] 1168 a=00000001 status=c0000035
0.10460603 [1168]
0.10460603 [1168] 1168 tumbao
0.10468537 [1168]
0.10468537 [1168] 1168 starting with netfred
0.10549860 [1168]
0.10549860 [1168] 1168 explorer.exe pid = 1112
0.10561007 [1168]
0.10561007 [1168] 1168 Impresonate as explorer ok (1)
0.11130102 [1168]
0.11130102 [1168] 1168 DllMain() end

[EP_X0FF]

Malware using TDL3 system load scheme (spooler).

GetPrintProcessorDirectoryA
DeletePrintProcessorA
AddPrintProcessorA
WINSPOOL.DRV

http://www.virustotal.com/analisis/ab98 ... 1270096094

Using beep.sys to load itself.

Dump from unpacked dropper

file.bat
%windir%\
:try
del "
if exist "
" goto try
del %0
GROM
\\?\globalroot\systemroot\system32\drivers\beep.backup
\\?\globalroot\systemroot\system32\drivers\beep.sys
beep

Hooks NtCreateFile and NtQueryDirectoryFile in SSDT.

Payload code dump

%d.%d.%d.%d 8.8.8.8 \ D e v i c e \ I d e \ I d e P o r t 0 NTFS FAT FAT32 ATAPIDRV.SYS \ ? ? \ C : A t a p i D r v . s y s NtQueryDirectoryFile NtCreateFile pModule 0x%X has no PE header pModule 0x%X has no DOS header pModule 0x%X has no base RtlWriteRegistryValue RtlCreateRegistryKey PsGetVersion NtClose NtReadFile NtWriteFile %u A t a p i D r v AtapiDrv \ N a m e S e r v e r \ R e g i s t r y \ M a c h i n e \ S y s t e m \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ T c p i p \ P a r a m e t e r s \ I n t e r f a c e s
HTTP/1.0
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
User-Agent: GET \ D e v i c e \ T c p N D I S . s y s T D I . s y s \ D e v i c e \ U d p LocalHost ----=_NextPart_%03d_%04X_%08.8lX.%08.8lX %04x%08.8lx$%08.8lx$%08x@%s > " <
From: From: $QM_RECEIVED $QM_MESSID $TIME $DATE %d:%d:%d %d.%d.%d @@RECEIVED @@DATE (qmail %d by uid %d); %s, %d %s %d %d:%d:%d %.4d %s, %.2d %s %d %.2d:%.2d:%.2d %.4d @@BOUNDARY @@MESSAGE_ID @@FROM_NAME @@FROM_EMAIL @@TO_EMAIL @@TO_NAME $TO_EMAIL $TO_NAME @ </body> <body> QM_MESSID QM_RECEIVED REAL_IP TO_EMAIL Dec Nov Oct Sep Aug Jul Jun May Apr Mar Feb Jan UNK Sat Fri Thu Wed Tue Mon Sun 25 . beep D r i v e r T y p e S t a r t I m a g e P a t h \ R e g i s t r y \ M a c h i n e \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ C o n t r o l \ S a f e B o o t \ N e t w o r k \ A t a p i D r v . s y s \ R e g i s t r y \ M a c h i n e \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ C o n t r o l \ S a f e B o o t \ M i n i m a l \ A t a p i D r v . s y s \ R e g i s t r y \ M a c h i n e \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ A t a p i D r v \ R e g i s t r y \ M a c h i n e \ S Y S T E M \ % s \ % s \ % s s r s e r v i c e s r C o n t r o l \ S a f e B o o t \ N e t w o r k C o n t r o l \ S a f e B o o t \ M i n i m a l S e r v i c e s C o n t r o l S e t 0 0 2 C o n t r o l S e t 0 0 1 C u r r e n t C o n t r o l S e t Taking task in LifeReport thread id=%s&smtp=ok&ver=%s
style= hostname= taskid= </text> <text>
</emails> <emails> <info> -abuse arracu buseat gelabs pamhau QUIT
354 DATA
RCPT TO:<%s>
MAIL FROM:<%s>
250 HELO %s
220 TransportAddress ConnectionContext

\ \ . \ P H Y S I C A L D R I V E 0 1015237119 Xґtшёіtш°іtш\ D e v i c e \ \ \ s y s t e m r o o t \ s y s t e m 3 2 \ d r i v e r s \ b e e p . s y s s y s t e m 3 2 \ d r i v e r s \ A t a p i D r v . s y s \ s y s t e m r o o t \ s y s t e m 3 2 \ d r i v e r s \ A t a p i D r v . s y s \ s y s t e m r o o t \ s y s t e m 3 2 \ d r i v e r s \ a t a p i . s y s s0Wx:A 402 91.207.7.102 /pics/search.php php

Recovered driver and dropper itself

[ThatReallyFatDude]

Caught this one today - less then 24h old:
http://www.virustotal.com/analisis/65c0 ... 1270297084

Config:

[main]
quote=I felt like putting a bullet between the eyes of every panda that wouldn't screw to save it's species. I wanted to open the dump valves on oil tankers and smother all those french beaches I'd never see. I wanted to breathe smoke
version=3.273
botid=f2274ee7-2fce-4ec8-bd52-351b9d5eb795
affid=20376
subid=0
installdate=3.4.2010 11:58:23
builddate=2.4.2010 21:29:8
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://zz87jhfda88.com/;https://91.212 ... n4cx00.cc/
wspservers=http://30xc1cjh91.com/;http://j00k877x. ... 3kjf7.com/
popupservers=http://clkh71yhks66.com/
version=3.741
delay=7200
clkservers=http://clkmfd001.ws/
[tasks]
tdlcmd.dll=https://91.212.226.66/4MwsS9PAz2x+

[EP_X0FF]

Hello,

Actually it is not new tdlcmd.dll

There two versions of tdlcmd.dll available at same time. They differs by servers list, IP's.
3.74 & 3.741


Regards.

[ThatReallyFatDude]

There two versions of tdlcmd.dll available at same time. They differs by servers list, IP's.
3.74 & 3.741

Thanks. Edited my original post.

[ConanTheLibrarian]

Wow this new one uses another driver as well to help load itself? Replacing atapi is not enough anymore?

[EP_X0FF]

Hello,

if you mean this http://www.kernelmode.info/forum/viewto ... p=509#p509 then it is obviously copy-paste clone of TDL3 loading part.
Rootkit driver named AtapiDrv.sys and can be easily cleaned from system even with very old antirootkits.
AV's should be also able to remove this even without SSDT unhooking.

And actually TDL3 not replacing miniport driver, it infects :)

Regards.

[ConanTheLibrarian]

Ok - so what is infected now and need replacing? atapi.sys? beep.sys? atapidrv.sys? All?

[EP_X0FF]

This is not TDL3. You need to remove this rootkit. Simple eradicate rootkit driver (anyhow).