A forum for reverse engineering, OS internals and malware analysis 

Rootkit TDL 3 (alias TDSS, Alureon.CT, Olmarik)

Forum for analysis and discussion about malware.

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #1447  by EP_X0FF
 Wed Jul 07, 2010 6:18 pm
DragonMaster Jay wrote:I do have some belief that TDL authors have some connection to a certain rogue AV family.
"Malware Defense" and it's title clones? :) TDL is universal kit, as downloader it can download almost every piece of malware known families. For example not so long time ago it was serving as downloader and installer for Trojan Winlock (Ransom). And some FakeAV's can download TDL3 as "updates".

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #1449  by Elite
 Thu Jul 08, 2010 9:27 pm
Grabbed new MSE 1963 build the other day and freshly installed XP Pro w/ SP3 and all updates on an Oracle VirtualBox VM.

I grabbed a fresh TDL3+ dropper and infected the machine. TDL3+ must've been updated, because behavior of MSE was unexpected. Dropper wasn't detected at the time by MSE (thanks to rapid repacking!). TDL3 stops MSE from updating (probably by blacklisting). During a scan with MSE, the "kernel scan" section of the scan finds the infected drive (netbt.sys in my case) in memory, but fails at removal even after multiple reboots.

Had to resort to other methods for removal.
MSE removal was fun while it lasted...

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #1450  by SecConnex
 Fri Jul 09, 2010 2:12 am
MSE is too "soft" for me. It needs to have rougher removal skills.

Not to compare it to any other AV, but Kaspersky looks tough and is tough. I think MSE should do the same. Look tough and be tough.

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #1453  by EP_X0FF
 Fri Jul 09, 2010 2:05 pm
Yes it's fresh, but nothing new.
[main]
version=3.273
quote=Everybody's a jerk. You, me, this jerk. That's just my philosophy
botid=x
affid=20694
subid=0
installdate=9.7.2010 14:1:41
builddate=9.7.2010 13:9:46
rnd=823518204
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://19js810300z.com/;https://lj1i16 ... n4cx00.cc/
wspservers=http://zl00zxcv1.com/;http://zloozxcv1. ... s6cx0.com/
popupservers=http://clkh71yhks66.com/
version=3.82

Cleanup

 #1459  by EP_X0FF
 Sat Jul 10, 2010 3:11 am
Thread has been emptied from some old samples (March - May 2010).
  • 1
  • 22
  • 23
  • 24
  • 25
  • 26
  • 40
 Return to “Malware”