A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2572  by Jaxryley
 Tue Aug 31, 2010 11:19 pm
fatdcuk wrote:Another novel dropper, tested by proxy over messenger (Danke PX5 ;))

http://www.virustotal.com/file-scan/rep ... 1283281751

This one needs to stew for a bit...
Dropped a temp file with no extension which has the same md5 as loader.exe and a S5e55.dll at the same size but different md5.
.
S5e55.dll - 10/43 - Dr Web - BackDoor.Tdss.4057
http://www.virustotal.com/file-scan/rep ... 1283296248
(193.56 KiB) Downloaded 87 times
 #2573  by PX5
 Wed Sep 01, 2010 12:16 am
Dropped more than just a temp file. ;)
Attachments
ade.JPG
ade.JPG (75.15 KiB) Viewed 473 times
 #2574  by PX5
 Wed Sep 01, 2010 12:27 am
The best detection I saw was for the dropper itself but the rest were pretty pitiful, most were detected by only 4 vendors with the exception of the patched driver.

Enjoy, adding in a collection of infected MBRs, I dont think mine was, it just blew away the Recovery Console and forced me to use a boot cd.

Pretty obvious code for tdl is wide open and different groups are using different methods to accomplish whatever goal they are after.

Very nice catch ade, Ive only seen a small handful of these type installs. :mrgreen:
Attachments
(8.47 KiB) Downloaded 73 times
(334.88 KiB) Downloaded 75 times
 #2580  by PX5
 Wed Sep 01, 2010 12:50 pm
Whats a VM? ;)

All live here, VM/VBox are just for, well, I really dont know why I use them anymore. :?:

I can do a re-run using the same file and produce a capture log that may shed more light on how the infection rolls down for me but I definitly cant do it before I get rid of this frigin hangover! :lol:


Small Edit: My name is Mike or other 4 letter words my wife enjoys using, you dont have to refer to me by PX5, its just a Prevx thing for me. :)
 #2581  by EP_X0FF
 Wed Sep 01, 2010 1:28 pm
4r0 wrote:TDSS x64?..

http://www.virustotal.com/file-scan/rep ... 1283342212
MD5 : 5243c42e5fec39efa9421f41ca42c753
Result:
4/ 43 (9.3%)
Doesn't looks so. Just same dll injection method through spooler. Some sort of downloader.
WININET.dll SHLWAPI.dll RPCRT4.dll imagehlp.dll USERENV.dll ADVAPI32.dll ole32.dll %s%s SeTcbPrivilege explorer.exe InstallDate SOFTWARE\Microsoft\Windows NT\CurrentVersion d%X%X%X%X winsta0\default .exe %s http://%s/dd.php?i=%s&a=%d&f=%d \x%s.dll spooler InternetConnectA InternetCrackUrlA InternetReadFile HttpOpenRequestA l HttpSendRequestA l InternetOpenA InternetCloseHandle SHGetValueA PathFindFileNameA StrStrIW UuidToStringA RpcStringFreeA 4 CheckSumMappedFile 7 CreateEnvironmentBlock CreateProcessAsUserA OpenProcessToken s GetTokenInformation DuplicateToken PrivilegeCheck LookupPrivilegeValueA OpenServiceA k CloseServiceHandle A StartServiceA QueryServiceStatusEx OpenSCManagerA t CoInitialize CoCreateGuid
http://www.virustotal.com/file-scan/rep ... 1283347323

downloads something named setup.exe from hxxp://noteups.com/ by hxxp://noteups.com/dd.php?i=%s&a=%d&f=%d

http://support.clean-mx.de/clean-mx/vir ... escr%20asc
 #2582  by EP_X0FF
 Wed Sep 01, 2010 1:43 pm
Good bye TDL3 :)

hxxps://damagelab.org/index.php?showtopic=18254&st=20&p=116951&#entry11695

Image
 #2583  by Jaxryley
 Wed Sep 01, 2010 1:51 pm
PX5 wrote:Whats a VM? ;)

All live here, VM/VBox are just for, well, I really dont know why I use them anymore. :?:

I can do a re-run using the same file and produce a capture log that may shed more light on how the infection rolls down for me but I definitly cant do it before I get rid of this frigin hangover! :lol:


Small Edit: My name is Mike or other 4 letter words my wife enjoys using, you dont have to refer to me by PX5, its just a Prevx thing for me. :)
LOL, thanks for the reply Mike. :)

Yep live is really the best way to go.

Sandboxie, Bufferzone, Returnil and VM's etc are OK for some malware samples but a lot are aware of such and won't run or only half run.
  • 1
  • 14
  • 15
  • 16
  • 17
  • 18
  • 60