A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #9847  by EP_X0FF
 Wed Nov 23, 2011 7:46 am
NarfBang wrote:Hey all,
Does anyone have a family tree of TDSS and its progeny?
I'm interested in the timelines and history of how this family is evolving.
Cheers if ya want to move this post to a different thread.
afair, dates of course not 100% correct

TDSS (TDL1), May-July 2008
TDL2 Apr-May 2009, gets generally updated twice
Pragma TDL2 mods from summer 2009, till maybe the fall of 2010
TDL3 end of Aug, Sept 2009, gets update after 2 months, then updates every months until end of April 2010.
z00clicker split of TDL3 - somewhere in the end-beginning of 2010
TDL4 - end of July 2010, gets update in Aug and Sept of the same year.
MaxSS (Pragma TDL3 mod) - end-beginning of 2011
MaxSS (Pragma TDL4 mod) - somewhere in the beginning of summer 2011, some sort of test launch
MaxSS (Pragma TDL4 mod + VBR) - Aug 2011, updated in October
 #9910  by EP_X0FF
 Fri Nov 25, 2011 1:56 pm
HackJack wrote:new installer for Rootkit.SST.b
Here is the config and decrypted resources from dropper.
[SCRIPT_SIGNATURE_CHECK]

[kit_hash_begin]
100000
[kit_hash_end]

[kit64_hash_begin]
100000
[kit64_hash_end]

[cmd_dll_hash_begin]
100000
[cmd_dll_hash_end]

[cmd_dll64_hash_begin]
100000
[cmd_dll64_hash_end]

[servers_begin]
hxxp://sunderlabic.com/cat/v3
hxxp://stargatemin.com/cat/v3
hxxp://open-932978.com/cat/v3
hxxp://hopkinfacult.com/cat/v3
hxxp://dompetecurl.com/cat/v3
[servers_end]

[modules_begin]
bbr232|100015
serf332|100030
[modules_end]

[modules64_begin]
serf364|100030
bbr264|100015
[modules64_end]

[injects_begin]
cmd32|svchost.exe,
[injects_end]

[injects_begin_64]
cmd32|svchost.exe,
cmd64|svchost.exe,
bbr232|iexplore.exe,explorer.exe,firefox.exe,safari.exe,chrome.exe,opera.exe,WebKit2WebProce,WebKit2WebProc,
bbr264|iexplore.exe,explorer.exe,firefox.exe,safari.exe,chrome.exe,opera.exe,WebKit2WebProce,WebKit2WebProc,
serf332|iexplore.exe,explorer.exe,ieuser.exe,
serf364|iexplore.exe,explorer.exe,ieuser.exe,
[injects_end_64]

[block_by_crc_begin]
2319090
1377285
1358012
1402047
1178976
1219939
1233377
1355247
1394702
1371304
7065345
10454367
11020797
1454051
1563203
1422898
1966285
1492854
1469591
1411944
1449167
1446295
1437356
1396682
1415008
1413143
1570237
1459789
1438019
1389482
1446840
1376301
1609283
1602092
6527308
1420090
1609787
1606318
1460103
1421835
1626431
1422756
1495286
1450307
1606001
1559749
1577148
1462324
1602084
1394702
1562615
1568096
1570672
1560044
1566626
1433161
1581575
1492446
1597675
1430267
1567436
[block_by_crc_end]

[crc_begin]
645710
1110560
53571
103475
267156
133776
74366
4213081836
4012962617
339533577
820333846
1237135839
2619140643
635755395
1084636732
168058888
3997900220
972101418
1997303488
2043050407
1410727764
1360607466
3264581999
3584516421
1160809628
665538150
2361482463
4267483940
1623533333
2570953230
796389970
344921315
750006651
1092572581
2381913409
797654280
468590801
2049471588
2432572148
3305834765
626336804
2341351732
1547311532
2015336217
3319889045
2875729805
680805574
919866743
3931323967
138235900
1931611448
903354224
3728285991
[crc_end]

[mods_hosts_begin]
[mods_hosts_end]

[jpeg_begin]
hxxp://Laheyutizu.livejournal.com/|l6Rl0JtinHxSSY50nzCy
hxxp://xykojotas.wordpress.com/|nel+q6Ym+XUqdKN37zGn
hxxp://Ursalupiwu.livejournal.com/|tcd1rIM072wRart11Sjn
hxxp://bopowojo.wordpress.com/|l8RB/+sj5VoEHZQjzjPm
[jpeg_end]
[SCRIPT_SIGNATURE_CHECK_END]
drv32, drv64, ldr32, ldr64, kdcom32, kdcom64, cmd32, cmd64, mbr, vbr in attach
Attachments
pass: malware
(87.81 KiB) Downloaded 156 times
 #11313  by Neurofunk
 Fri Jan 27, 2012 10:46 pm
Sorry to bump an old thread but it looks like SST is making the rounds again. Has been a while since i've seen it on a machine.

MD5: 349c3a56b306ab867ce5d25921581e00
Detection ratio: 11 / 42
https://www.virustotal.com/file/f88aed4 ... /analysis/
Attachments
Password: infected
(288.37 KiB) Downloaded 171 times
 #15914  by erikloman
 Sun Oct 07, 2012 7:03 pm
SST.C is infecting VBR (also MBR but we already knew about SST MBR) ...

Please find attached an infected VBR and a screenshot (query output) of a very small portion of the SST.C VBRs in our cloud (format: $VBR_<sector>).

SST.C dropper is doing a good job at staying under the radar.

Anyone has a dropper to share? I am confident it uses a new trick to deploy itself as SST.C is going around for months and by my knowledge no one knows how this thing is being deployed. I'm pretty sure this is the TDL4 variant that Damballa was talking about here.

EDIT: Just wrote a small blog post here. SST is most prevalent.
Attachments
VBR.png
VBR.png (19.26 KiB) Viewed 777 times
Password: infected
(5.47 KiB) Downloaded 96 times
 #15927  by EP_X0FF
 Tue Oct 09, 2012 6:10 am
This is Alureon.FV. Dropper is about 600 KB in size (one of this https://www.virustotal.com/file/2074b98 ... /analysis/). Nothing impressive. It took half of the year for current support team to adopt and integrate VBR infection. Lack of ideas obviously.
 #15935  by Cody Johnston
 Wed Oct 10, 2012 3:39 am
I would be interested in that as well. In my line of work, I come across SST.C and Pihar.C more often now than ZeroAccess. From the research standpoint, it may not be interesting, but it is very prevalent in the wild at the moment. Thanks in advance for any help!! :)
  • 1
  • 5
  • 6
  • 7
  • 8
  • 9
  • 15