[EP_X0FF]

How much more relentless can the TDL authors become, before they give up?

If they have a good profit (and they are) usually the same dev team can work on such kind of rootkits for a years. This is not script-kiddie trojan development, as in fact dev of alureon had supreme or equal knowledge in comparison with any dev teams from av vendors. TDL3 currently looks like moved from active development to simple support. This can mean - losing main developer(s) or/and starting new project. TDL3 alike rootkit R&D is about 4-5 month by 1-2 senior developers.

[sww]

And i want to add a word. I think, that sources of TDL3 were sold (max++, z00clicker cases).

[Avinash]

Probably New Sample

[nullptr]

Probably New Sample

version=3.273
quote=Everybody's a jerk. You, me, this jerk. That's just my philosophy
botid=1ac4685b-bf11-4c7c-939f-84930ea69dcc
affid=20694
subid=0
installdate=13.7.2010 14:8:14
builddate=12.7.2010 9:9:41
rnd=790525478
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://19js810300z.com/;hxxps://lj1i16b0.com/;hxxps://li1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/
wspservers=hxxp://zl00zxcv1.com/;hxxp://zloozxcv1.com/;hxxp://71ha6dl01.com/;hxxp://axjau710h.com/;hxxp://rf9akjgh716zzl.com/;hxxp://dsg1tsga64aa17.com/;hxxp://l1i1e3e3oo8as0.com/;hxxp://7gafd33ja90a.com/;hxxp://n1mo661s6cx0.com/
popupservers=hxxp://clkh71yhks66.com/
version=3.941

Just reencrypted. :)

[SecConnex]

What are the latest characteristics of the infection?

Is it only just infecting a random driver?

The latest I see is that it just does one random driver.

[EP_X0FF]

Yes, the same characteristics as before + infecting random driver. Nothing new since March-April 2010.
Active infection is still undetectable by almost all AV.

[SecConnex]

Cool. It appears their main motive is to keep their backdoor in place and hide it.

I would not put it past them to teaming with other malware authors in the future to make an even larger and undetectable threat.

[Jaxryley]

May have morphed ?

Code: Select all

hxxp://ad.ghura.pl/dm.exe
hxxp://ad.ghura.pl/rus.php

dm.exe - 9/40 - MD5...: 53331d697c4e15f14a404f709d294db3
http://www.virustotal.com/analisis/76e5 ... 1279121442

rus.php - 13/42 - MD5...: df07010fd8a297bfc380ef5668a7876d
http://www.virustotal.com/analisis/4c01 ... 1279121453

dm and rus.zip

Pass:
infected
(111.46 KiB) Downloaded 67 times

[USForce]

Looks like the driver code has been slightly changed, even if the release number is still 3.273. In fact, eSage TDSS Remover detection routine doesn't work anymore. It seems that TDL3 added self-defense routine against such attack.

There isn't any other major change and TDL3 is still easily detectable.

[EP_X0FF]

Cannot reproduce :?

I made quick test.

Clean machine, from repository, XP SP3.

infected machine with this sample, file: termdd.sys, rebooted.
installed tdss remover, rebooted when asked
scanned with tdss remover, it detected tdl3, "fixed it", rebooted.

After reboot tdl3 is successfully removed.