A forum for reverse engineering, OS internals and malware analysis 

Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Forum for analysis and discussion about malware.

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #2342  by Fabian Wosar
 Thu Aug 26, 2010 10:48 am
Looks like EP_X0FF and I had the same idea :). I updated my initial posting with string dumps of the 32bit and 64bit unpacked DLL, the content of the cfg.ini and a dump of all files from the encrypted file system. All string dumps were obtained from an infected Windows 7 x64 machine which is why the dumps may differ with EP_X0FF's ones.

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #2343  by EP_X0FF
 Thu Aug 26, 2010 10:51 am
Thanks for update :)

Looks like rootkit needs some tweaks, infected test machine is now cannot boot :)

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #2344  by Fabian Wosar
 Thu Aug 26, 2010 10:53 am
EP_X0FF wrote:Looks like rootkit needs some tweaks, infected test machine is now cannot boot :)
That's actually anti-debugging code. If you have kernel mode debugging set up for the machine it will no longer boot after infection. Deactivate kernel mode debugging and use LiveKD for example to debug it. I tripped over the same thing.

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #2345  by EP_X0FF
 Thu Aug 26, 2010 10:55 am
Yes, it was configured to debug boot. Thanks, will "fix" that :)

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #2346  by USForce
 Thu Aug 26, 2010 11:12 am
Not sure, I tried it on both WIndows XP SP2 and Windows 7 Ultimate x86 and they both couldn't start at system bootup after first restart. And they are not running with kernel debugging

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #2347  by PX5
 Thu Aug 26, 2010 11:26 am
http://www.kernelmode.info/forum/viewto ... f=16&t=287

This is one source of dropper, I believe i posted some links, first site was 19 days ago and Im waiting on the ones who pay me to release permission to share.

First encounter was over 30 days ago which left me with a machine that couldnt boot afterwards.

File that is missing from that particular dropper is n.exn and for sure its the version everyone is after, trival to me as Im just a garbage collector. ;)

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #2348  by bytejammer
 Thu Aug 26, 2010 11:29 am
From the Archive posted by EP_X0FF it seems that the rootkit is started from the MBR ? Does that mean that simple FixMbr from the Recovery CD will work to remove it?

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #2350  by EP_X0FF
 Thu Aug 26, 2010 11:31 am
Please somebody try to kill it with fixmbr, I'm little busy updating detector for that stuff :D

btw, IO filtering seems to be the same.

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #2351  by USForce
 Thu Aug 26, 2010 11:33 am
EP_X0FF wrote:Please somebody try to kill it with fixmbr, I'm little busy updating detector for that stuff :D

btw, IO filtering seems to be the same.
yes, it's the same. They have been just inspired by Whistler bootkit so that they are able to load on both x86/x64 by patching MBR.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 60
 Return to “Malware”