A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #722  by InsaneKaos
 Wed Apr 14, 2010 10:28 pm
I've tested it over 10 times, for me it works.

FC will reveal it. The script copies all sys-files to Windows\DriversToCkeck while you are logged on RC. Then do the FC stuff against the driver in System32\Drivers while in normal mode. If it found a difference, it will copy the driver from System32\Drivers to Windows\ and replace it when you reboot again into RC. (The Driver in System32\Drivers is infected, but TDL will reflect a clean copy, so you can use it).
 #723  by gjf
 Wed Apr 14, 2010 10:33 pm
Oh, I've missed RC moment! In this case sure it will work. Thanks.
What about hypotetic situation when TDL3 infects system driver, but not from Microsoft one?
 #725  by gjf
 Wed Apr 14, 2010 10:57 pm
No, I meant another situation. Let's assume I have ElbyCDIO.sys driver installed in system and exactly this driver was infected. This driver was installed by another software, not by Microsoft, so it will be absent at RC. Nothing to compare with.
 #726  by InsaneKaos
 Wed Apr 14, 2010 11:02 pm
Why this should not be listed under RC. It is there and the batchfile will copy it to DriversToCheck. It worked already with VboxGuest.sys and avipbb.sys (Avira's ARK-Driver) on my VM.
 #727  by gjf
 Wed Apr 14, 2010 11:07 pm
OK, have to test by myself. Not sure... and I believe small modification of code in rootkit which will give the crap when copying driver can cause a problem.

Anyway - thanks a lot!
 #751  by zack
 Fri Apr 16, 2010 7:59 pm
I've seen a lot of posts detailing some of the files found within the hidden filesystem of this rootkit. I was just wondering how this data is read and what tools are needed?
 #752  by EP_X0FF
 Sat Apr 17, 2010 2:34 am
Hello,


they are:
extracted from processes address space
intercepted while uploading
extracted from rootkit body with RE
gathered from tdl file system with private tools

Regards.
 #774  by Gabethebabe
 Mon Apr 19, 2010 8:40 pm
1st poast :)

Hey guys, very interesting forum you got here for the malware helpers. I picked up some TDSS samples from this threat, but the samples don´t seem to work in my Virtualbox system (version 3.1.6). Either running WINXP SP3 up-to-date or an outdated WINXP SP2 and trying to run any of the newer droppers triggers a Vbox reboot. Virtualbox is not a good testing system?

Thanks and keep up the good work!
  • 1
  • 9
  • 10
  • 11
  • 12
  • 13
  • 40