A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2229  by Elite
 Tue Aug 24, 2010 7:18 am
Can't wait to see how they go about infecting the x64 machine in the first place and writing the malicious loader to the MBR.

I guess after that it's pretty simple bootkit stuff to inject the x64 driver into kernel at boot, or do some patching to allow it to load "normally".

Time for RkU x64 era too. :lol:
 #2231  by EP_X0FF
 Tue Aug 24, 2010 7:25 am
I guess after that it's pretty simple bootkit stuff to inject the x64 driver into kernel at boot, or do some patching to allow it to load "normally".
Well aside from ldr32/ldr64 this tdl variant also has ldr16, probably used during bootkit work.
Unfortunately no droppers currently available.
 #2236  by Meriadoc
 Tue Aug 24, 2010 8:37 am
Whoever it is we are at a prominent time in rootkit development.
 #2238  by PX5
 Tue Aug 24, 2010 9:07 am
Any tale tell signs of the infection when present, Ive had a series of infections where only one sector of mbr seems affected, usually only sector 5 but sometimes sectors 1 or 2 may appear as affected.
 #2239  by EP_X0FF
 Tue Aug 24, 2010 9:16 am
Thanks to a_d_13 we have memory and TDL FS dumps from infected machines. From preliminary analysis it infects MBR and hides changes (keeps original MBR code on it's own fs). Memory forensic analysis will detect it, as well as kernel debugger. x64 drivers are adapted versions of x32 tdl code. Basic detection suggestions will be the same as in case of x32 TDL3, it still injects dll, it's still uses several hardcoded mutex names, waitable timers and load image notify callback with routine address inside nowhere (outside visible drivers). How good it's hiding MBR changes, well it is hard to say without actual dropper. I'm mostly interested in way, how it infected it.
 #2240  by PX5
 Tue Aug 24, 2010 10:03 am
Code: Select all
[main]
version=3.273
quote=I felt like putting a bullet between the eyes of every panda that wouldn't screw to save it's species. I wanted to open the dump valves on oil tankers and smother all those french beaches I'd never see. I wanted to breathe smoke
botid=22a4b42c-3e5d-4ac6-bc90-5979207c3210
affid=30018
subid=1
installdate=23.8.2010 19:34:48
builddate=20.8.2010 20:54:45
rnd=796845957
knt=1282592859
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://68b6b6b6.com/;https://61.61.20.132/;https://34jh7alm94.asia;https://61.61.20.135/;https://nyewrika.in/;https://rukkieanno.in/
wspservers=http://rudolfdisney.com/;http://crozybanner.com/;http://imagemonstar.com/;http://funimgpixson.com/;http://bunnylandisney.com/
popupservers=http://cri71ki813ck.com/
version=3.941
bsh=065c5117a14fcd61d1a83d958b9fe8da3d598f5e
delay=7200
clkservers=http://lkckclckl1i1i.com/


Well atleast they have a sense of humor :lol:
 #2245  by rossetoecioccolato
 Tue Aug 24, 2010 2:09 pm
it still injects dll, it's still uses several hardcoded mutex names, waitable timers and load image notify callback with routine address inside nowhere (outside visible drivers).
It is starting to sound like the s.o.s. Is the memory image available? It would be of interest to me.
  • 1
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40