A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2846  by Jaxryley
 Thu Sep 23, 2010 8:38 am
Another sample and droppers:

setup2310027.exe - Symantec - W32.Koobface - MD5 : 8e0ffd7580be8bcd039958f7df5cd7f4
http://www.virustotal.com/file-scan/rep ... 1285230073

Dropped:
dg[1].exe - 9/43 (20.9%) - Trojan.Alureon.Gen!Pac.18 - MD5 : ee22d95d2bc29a796d130c0fa1b22d2a
http://www.virustotal.com/file-scan/rep ... 1285229947

swe.sys - 2/43 - Jiangmin - Rootkit.Koobface.bp ? - MD5 : 5c02175de191a7fac64bbb77b62637c7
http://www.virustotal.com/file-scan/rep ... 1285230208

Several other droppers included:
(1.4 MiB) Downloaded 98 times
 #2848  by nullptr
 Thu Sep 23, 2010 9:11 am
dg[1].exe
[main]
version=3.273
quote=You people voted for Hubert Humphrey, and you killed Jesus
botid=
affid=
subid=0
installdate=23.9.2010 9:0:3
builddate=23.9.2010 8:0:3
rnd=1757981266
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://nichtadden.in/;hxxps://91.212.226.67/;hxxps://li1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/;hxxps://lj1i16b0.com/
wspservers=hxxp://zl00zxcv1.com/;hxxp://zloozxcv1.com/;hxxp://71ha6dl01.com/;hxxp://axjau710h.com/;hxxp://rf9akjgh716zzl.com/;hxxp://dsg1tsga64aa17.com/;hxxp://l1i1e3e3oo8as0.com/;hxxp://7gafd33ja90a.com/;hxxp://n1mo661s6cx0.com/
popupservers=hxxp://clkh71yhks66.com/
version=3.962
 #2852  by xfoo()
 Thu Sep 23, 2010 3:57 pm
Krzywy wrote:
xfoo() wrote: main change is the injected code by apc,
Injection by APC in WorkItem was in previous versions.
ok i've eaten "in", should be
main change is IN the injected code by apc,
but you should deduce right meaning from other message, never mind.

BTW
Generally it's quite strange that we noticed just few samples of tdl4.
version 0.01 (middle of July), without x64 code (one dropper),
0.02 fully workable, (just few droppers)
0.03 with changed infector (driver too), also few smples
I remember tdl3 beginnings, there were hundreds of repacked droppers.

Do they testing something, or what ?
Maybe detection rate is really poor.
 #2853  by Meriadoc
 Thu Sep 23, 2010 4:00 pm
Proland Software have removal tools but I havn't tried them. Don't quite know how Proland stack up these days, they have vb award and listed on microsoft pages as recomended av. -

http://www.pspl.com/download/cleantdss.htm
cleantdss

http://www.pspl.com/download/utility.htm
Last edited by Meriadoc on Thu Sep 23, 2010 4:18 pm, edited 1 time in total.
 #2868  by kiskav
 Sat Sep 25, 2010 3:03 am
Fabian Wosar wrote:According to some forum posts (look here for example http://www.kernelmode.info/forum/viewto ... 2582#p2582) TDL-3 is going to be discontinued. That would explain the little amount of variants published.
I do read that before when EP posted it. if iam correct, Dogma millions was the site which ran this pay per install campaign for TDL3. Till few months before, i was able to see atleast the homepage of Dogma-millions. Now the site is not there - Probably shut downed as they closed the campaign or for any reasons.

So, from where does this TDL4 flows in ? Does Any has info about this new variant (so called TDL4 by Kaspersky) .
 #2869  by PX5
 Sat Sep 25, 2010 10:03 am
So i heard through the chatter box grapevine that no one here could reproduce the tdl3 DNS Hijack to the router....thanks to Ades Sample from last week, which I just got around to running, inside a VM, none the less, I wish to show you why people should not do crack!


No. Time Source Destination Protocol Info
29 262.900713 192.168.239.1 239.255.255.250 SSDP NOTIFY * HTTP/1.1
30 262.911011 fe80::744c:a02f:85bb:3c84 ff02::c SSDP NOTIFY * HTTP/1.1
31 262.911635 192.168.239.1 239.255.255.250 SSDP NOTIFY * HTTP/1.1
32 262.911986 fe80::744c:a02f:85bb:3c84 ff02::c SSDP NOTIFY * HTTP/1.1
33 262.912325 192.168.239.1 239.255.255.250 SSDP NOTIFY * HTTP/1.1
34 262.912646 fe80::744c:a02f:85bb:3c84 ff02::c SSDP NOTIFY * HTTP/1.1
35 262.912961 192.168.239.1 239.255.255.250 SSDP NOTIFY * HTTP/1.1
36 262.913251 fe80::744c:a02f:85bb:3c84 ff02::c SSDP NOTIFY * HTTP/1.1
37 265.911602 192.168.239.1 239.255.255.250 SSDP NOTIFY * HTTP/1.1
38 265.911982 fe80::744c:a02f:85bb:3c84 ff02::c SSDP NOTIFY * HTTP/1.1
39 265.912432 192.168.239.1 239.255.255.250 SSDP NOTIFY * HTTP/1.1
40 265.912758 fe80::744c:a02f:85bb:3c84 ff02::c SSDP NOTIFY * HTTP/1.1
41 265.913198 192.168.239.1 239.255.255.250 SSDP NOTIFY * HTTP/1.1
42 265.913624 fe80::744c:a02f:85bb:3c84 ff02::c SSDP NOTIFY * HTTP/1.1
43 265.913969 192.168.239.1 239.255.255.250 SSDP NOTIFY * HTTP/1.1
44 265.914263 fe80::744c:a02f:85bb:3c84 ff02::c SSDP NOTIFY * HTTP/1.1
45 268.912466 192.168.239.1 239.255.255.250 SSDP NOTIFY * HTTP/1.1
46 268.913029 fe80::744c:a02f:85bb:3c84 ff02::c SSDP NOTIFY * HTTP/1.1
47 268.913460 192.168.239.1 239.255.255.250 SSDP NOTIFY * HTTP/1.1
48 268.913827 fe80::744c:a02f:85bb:3c84 ff02::c SSDP NOTIFY * HTTP/1.1
49 268.914183 192.168.239.1 239.255.255.250 SSDP NOTIFY * HTTP/1.1
50 268.914518 fe80::744c:a02f:85bb:3c84 ff02::c SSDP NOTIFY * HTTP/1.1
51 268.915200 192.168.239.1 239.255.255.250 SSDP NOTIFY * HTTP/1.1
52 268.915597 fe80::744c:a02f:85bb:3c84 ff02::c SSDP NOTIFY * HTTP/1.1
60 322.924984 192.168.239.129 lb1.www.ms.akadns.net HTTP GET / HTTP/1.0
79 336.979825 192.168.239.129 lb1.www.ms.akadns.net HTTP GET / HTTP/1.0
94 427.809128 192.168.239.129 ip-174-142-51-9.static.privatedns.com HTTP POST /nfoc.php HTTP/1.0

Above is TDL3 posting to its C&C

2238 477.174639 192.168.239.129 239.255.255.250 SSDP M-SEARCH * HTTP/1.1
2240 480.170658 192.168.239.129 239.255.255.250 SSDP M-SEARCH * HTTP/1.1
2243 483.173646 192.168.239.129 239.255.255.250 SSDP M-SEARCH * HTTP/1.1
2247 486.194265 192.168.239.129 192.168.239.2 HTTP GET /index.asp HTTP/1.0
2257 486.216580 192.168.239.129 192.168.239.2 HTTP GET /dlink/hwiz.html HTTP/1.0
2267 486.247775 192.168.239.129 192.168.239.2 HTTP GET / HTTP/1.0
2277 486.252723 192.168.239.129 192.168.239.2 HTTP GET /home.asp HTTP/1.0
2287 486.258471 192.168.239.129 192.168.239.2 HTTP GET /wizard.htm HTTP/1.0
2297 486.263769 192.168.239.129 192.168.239.2 HTTP GET /login.asp HTTP/1.0
2307 486.268686 192.168.239.129 192.168.239.2 HTTP GET /cgi/b/users/switchpopup/ HTTP/1.0



O my, whats this above, could it be, certainly not since everyone else seems not to be able to reproduce it.

No other malware dropped, no nadda nuttin, Kaput!

What you see is what you get, for me, this is on a hardened router, so Im not worried about the router itself getting jacked.


You all make your own judgement, but previous comments in the thread leave me to believe that the issue it totally PEBKAC
 #2872  by LeastPrivilege
 Sun Sep 26, 2010 3:44 pm
Hello Jaxryley,

I tried this installer without success. MBR was clean, drivers were clean, no search redirects, etc. The only folder it created was a folder in the local temp directory. I received an error from the O/S that the file didn't install correctly. I tried executing the installer several times. This test box was Windows 7 (x86). No security software, no firewalls, no UAC.
  • 1
  • 23
  • 24
  • 25
  • 26
  • 27
  • 60