A forum for reverse engineering, OS internals and malware analysis 

Rootkit TDL 3 (alias TDSS, Alureon.CT, Olmarik)

Forum for analysis and discussion about malware.

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #1967  by EP_X0FF
 Sat Aug 14, 2010 5:22 am
Long time nothing new from TDL.

Sample from 13 August.

http://www.virustotal.com/file-scan/rep ... 1281763265

edit:

Did somebody tried TDL against Symantec (Norton Internet Security 2010)?

From what I see it is unable to detect active rootkit and totally miss rootkit installation.
Attachments
pass: malware
(82.65 KiB) Downloaded 89 times

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #1982  by Quads
 Sat Aug 14, 2010 8:56 pm
Not sure about the newest infected drivers

But I remember back when TDL3 infected the disk controller "atapi.sys" or the others, Norton could detect "atapi.sys" was infected with "Backdoor.Tidserv!inf" or "Backdoor.Tidserv" but told the user that a PC reboot was required, OH BOY. Turned out that Norton was deleteing the driver on the restart and Windows would not startup, instead having a BSOD.

Symantec after some pushing awhile ago privately they spent time going through the definitions and corrected the problem, Now Norton should not be deleting the driver involved but instead state "Manual Removal Required" as Norton can not swap, disinfect or cure the drivers.

As for the newest releases of TDL3 unsure, but one symptom of an active infection is that Intrusion Prevention detects and blocks the web addresses that are attempted to be reached as "HTTP(S).Tidserv Download Request", approx. 4 or 5 detection names are available.

Norton Power Eraser (NPE) can detect the driver,

Quads

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #2051  by DiskOgre
 Wed Aug 18, 2010 5:31 pm
Hey Guys,

TDL3 has me intrigued! And I've seen some new C&C domains being floated-around...

How do you guys get access to the config file, DLLs, etc., when all of that is in the small, encrypted partition at the end of the disk? I've tried to get the info on several infected systems, both while running and with the system off, and I can't see them or extract them so far...

Gracias.

- D.O.

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #2064  by EP_X0FF
 Thu Aug 19, 2010 5:13 am
Guys, seems to be have a new variant of TDL3 ITW :)
How do you guys get access to the config file, DLLs, etc., when all of that is in the small, encrypted partition at the end of the disk? I've tried to get the info on several infected systems, both while running and with the system off, and I can't see them or extract them so far...
With help of internal forensic tools or with debugger (you need to read this topic fully to understand how exactly).

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #2065  by SecConnex
 Thu Aug 19, 2010 5:29 am
Indeed. ComboFix has captured the infection from recent sample, and deleted it, but did not get it all disinfected.

c:\documents and settings\HMOS\Application Data\install.dat
c:\documents and settings\HMOS\Local Settings\Application Data\{6BBAA482-5D0E-4771-814E-21BCDAAB341E}
c:\documents and settings\HMOS\Local Settings\Application Data\{6BBAA482-5D0E-4771-814E-21BCDAAB341E}\chrome.manifest
c:\documents and settings\HMOS\Local Settings\Application Data\{6BBAA482-5D0E-4771-814E-21BCDAAB341E}\chrome\content\_cfg.js
c:\documents and settings\HMOS\Local Settings\Application Data\{6BBAA482-5D0E-4771-814E-21BCDAAB341E}\chrome\content\overlay.xul
c:\documents and settings\HMOS\Local Settings\Application Data\{6BBAA482-5D0E-4771-814E-21BCDAAB341E}\install.rdf
c:\documents and settings\HMOS\Local Settings\Application Data\Windows Server
c:\documents and settings\HMOS\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\All Users\Application Data\hpe3A.dll
c:\documents and settings\Ezana\Application Data\install.dat
c:\documents and settings\Sabah\Application Data\install.dat
C:\install.exe
c:\program files\iWin\tbiWi1.dll
c:\windows\system32\config\system~1\applic~1\install.dat
c:\windows\system32\drivers\edparwo.sys
c:\windows\system32\Thumbs.db

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected


==============================


I italicized the changes from the previous TDL3 version and this version.

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #2074  by EP_X0FF
 Thu Aug 19, 2010 2:28 pm
We have few new different tdl's info. One of it - modified 3.273, with new tdlcmd.dll and heavy modified config, second one looks more promising. Could be something that can be called TDL4 (if it is not a just copy-past) :)

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #2090  by SecConnex
 Thu Aug 19, 2010 7:12 pm
I doubt we are dealing with TDL4 yet. (I think some of you talk about it like it is supposed to be an Armageddon of malware or something). You will know when TDL4 has arrived.

The fact that EP_XOFF stated only seeing 3.273 and new TDLCMD, I think it is a bit early to start calling out TDL4.

I really think the release of TDL4, if it will exist, will be in October/November, not at this point, though.
  • 1
  • 30
  • 31
  • 32
  • 33
  • 34
  • 40
 Return to “Malware”