A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #590  by gjf
 Fri Apr 09, 2010 10:33 am
EP_X0FF wrote:Thank you for providing these samples. Not all of them are really tdl3. There at least one 4dw3r3 tdl copy-paste clone. What about new tdl3 version I didn't yet downloaded it. Well if they changed something in infection module, then it is obviously not enough to counteract tdl3+ removers available at this time. To be honest I don't believe in tdl4 in near few months. Stealth model implemented in tdl3 is enough sophisticated and flexible as time proven.
You are welcome :) If you'd be so kind to point out me in PM which samples are not tdl 3 - I will surely remove them from the pack.

You are absolutely right concerning tdl4 - I believe the same, but the version I have told cannot be removed by present removers yet - so LiveCD only.

BTW some updates. And I believe I foun that new sample I have told you - here is it: hxxp://www.onlinedisk.ru/file/401981/
I didn't test it yet (I will do it at home) so please don't claim me if it is just a repack. JoeBox log is attached
JoeBox logs
(51.88 KiB) Downloaded 63 times
, looks like it extracts into 5.tmp and infects cdrom.sys in this very case.

And updates total pack is here: hxxp://www.onlinedisk.ru/file/401978/

P.S. all passwords remains the same as in my previous post.
 #592  by EP_X0FF
 Fri Apr 09, 2010 1:28 pm
Hi,

girl blah blah cock exe perhaps related to 4dw3r3 rootkit (TDL2/3 clone). I saw dropper with same name and size not so long time ago.

Your last sample is
[main]
quote=Dude, meet me in Montana XX00, Jesus (H. Christ)
version=3.273
subid=0
installdate=9.4.2010 13:25:40
builddate=9.4.2010 8:58:47
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://zz87jhfda88.com/;https://91.212 ... n4cx00.cc/
wspservers=http://30xc1cjh91.com/;http://j00k877x. ... 3kjf7.com/
popupservers=http://clkh71yhks66.com/
version=3.741
delay=7200
clkservers=http://mfdclk001.org/
[tasks]
tdlcmd.dll=hxxps://112.121.181.26/rDbtafVZlDjA
as task it downloads 3.742 updated tdlcmd.dll

In march-april tdl3 team upgraded their packer, tdlcmd.dll and dropper code. Rootkit seems to be wasn't yet updated.

Norman TDSS Cleaner detected it. (I'm not telling that Norman TDSS Cleaner is best etc, just the first public tool I tried against this rootkit).
Attempt to removal leads to nowhere. Seems to be it killed user mode part of rootkit, or it was updating right in this time. As result Norman went to infinite scan-reboot cycle.

Regards.
 #593  by ConanTheLibrarian
 Fri Apr 09, 2010 1:53 pm
I can confirm with gjf - it doesn't appear anything online can remove this, only offline removal. Without using any debugging tools, I can't even tell anything is out of ordinary except the atapi.sys. TDSSRemover from esage doesn't see anything. The other tools see it and appear to clean it, but it comes back on reboot. It appears, like gjf has said, it is using another "helper" driver to load and infect as well now. Anyone have any tools that can detect the infected files for offline replacement?
 #595  by InsaneKaos
 Fri Apr 09, 2010 2:25 pm
Hi there,
here is a new one. TDL no longer infects the atapi.sys itself. There is another ramdom driver that get infected by the routine. Looks like TDL infecting only the driver of the atapi that is in the memory.
Code: Select all
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-08 23:46:20
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOKUME~1\Ghost\LOKALE~1\Temp\fwtiqpoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc           C:\WINDOWS\System32\DRIVERS\ipsec.sys                                          entry point in ".rsrc" section [0xF6041614]

---- User code sections - GMER 1.0.15 ----

.text           C:\WINDOWS\system32\wuauclt.exe[460] ntdll.dll!NtProtectVirtualMemory          7C91D6D0 5 Bytes  JMP 0102000A
.text           C:\WINDOWS\system32\wuauclt.exe[460] ntdll.dll!NtWriteVirtualMemory            7C91DF90 5 Bytes  JMP 0103000A
.text           C:\WINDOWS\system32\wuauclt.exe[460] ntdll.dll!KiUserExceptionDispatcher       7C91E45C 5 Bytes  JMP 0101000C
.text           C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtProtectVirtualMemory         7C91D6D0 5 Bytes  JMP 007A000A
.text           C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtWriteVirtualMemory           7C91DF90 5 Bytes  JMP 007B000A
.text           C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!KiUserExceptionDispatcher      7C91E45C 5 Bytes  JMP 0079000C
.text           C:\WINDOWS\System32\svchost.exe[1092] ole32.dll!CoCreateInstance               774D057E 5 Bytes  JMP 01EE000A
.text           C:\WINDOWS\Explorer.EXE[1640] ntdll.dll!NtProtectVirtualMemory                 7C91D6D0 5 Bytes  JMP 00A1000A
.text           C:\WINDOWS\Explorer.EXE[1640] ntdll.dll!NtWriteVirtualMemory                   7C91DF90 5 Bytes  JMP 00A7000A
.text           C:\WINDOWS\Explorer.EXE[1640] ntdll.dll!KiUserExceptionDispatcher              7C91E45C 5 Bytes  JMP 00A0000C

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                      pxrts.sys (Prevx Realtime Security/Prevx)

Device           -> \Driver\atapi \Device\Harddisk0\DR0                                        8614AAC8

---- Files - GMER 1.0.15 ----

File            C:\WINDOWS\System32\DRIVERS\ipsec.sys                                          suspicious modification
File            C:\WINDOWS\system32\drivers\atapi.sys                                          suspicious modification

---- EOF - GMER 1.0.15 ----
This one will only be detected by GMER if the "Sections" scan is selected.

Starting from a PE Windows I've checked the md5 of both drivers.

MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys - The same as the original file

Infected ipsec.sys:
MD5=10EBEE17CC6D5EDA2B771907FE5644C1 -- C:\WINDOWS\system32\drivers\ipsec.sys

clean ipsec.sys:
MD5=23C74D75E36E7158768DD63D92789A91 -- C:\WINDOWS\ServicePackFiles\i386\ipsec.sys
MD5=23C74D75E36E7158768DD63D92789A91 -- C:\WINDOWS\system32\drivers\ipsec.sys

The last driver at "C:\WINDOWS\system32\drivers\ipsec.sys" is taken from an infected machine. The same as this one from the ServivePackFiles. TDL is obfuscating the infection.

By replacing the ipsec.sys with an original file the whole infection is gone, there is no patched atapi.sys any longer.

Greetings, Kaos
Attachments
TDLDropper
pass: infected

(72.83 KiB) Downloaded 103 times
 #596  by EP_X0FF
 Fri Apr 09, 2010 2:53 pm
Yes, I see that in my vm. It infects random driver.

In its config it is still 3.273, no changes.

atapi.sys is still affected by rootkit btw.

Meriadoc, can you test this sample also? In my test old khakis successfully removes.
 #599  by Meriadoc
 Fri Apr 09, 2010 5:04 pm
EP_X0FF wrote:Yes, I see that in my vm. It infects random driver.

In its config it is still 3.273, no changes.

atapi.sys is still affected by rootkit btw.

Meriadoc, can you test this sample also? In my test old khakis successfully removes.
Yes khakis removed fine.
 #600  by EP_X0FF
 Fri Apr 09, 2010 5:10 pm
Thanks for confirmation :)

Yes seems to be some innovations were added. However all this is still easily detectable and removable.
RkU Version: 5.1.707.2260, Type VX2 (VX+)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
0x81F11B36 Page with executable code, size: 4096 bytes
0x81F0DCF9 Page with executable code [ ETHREAD 0x81FC4B20 ] TID: 48, size: 775 bytes
0x81F0E636 Page with executable code [ ETHREAD 0x81FC4B20 ] TID: 48, size: 2506 bytes
0x81F0F3CF Page with executable code [ ETHREAD 0x81FC4B20 ] TID: 48, size: 3121 bytes
0x81F0E21A Page with executable code [ ETHREAD 0x81FC4B20 ] TID: 48, size: 3558 bytes
0x81F10C3F Page with executable code [ ETHREAD 0x81FC4B20 ] TID: 48, size: 961 bytes
0x81F11517 Page with executable code [ ETHREAD 0x81FC4388 ] TID: 60, size: 2793 bytes
0x81F0DBEF Page with executable code [ ETHREAD 0x81FC4388 ] TID: 60, size: 1041 bytes
0xF84AXXXX WARNING: Virus alike driver modification [dmio.sys] :: 0xXXX, size: XXX bytes
0x81F0XXXX WARNING: Driver modified [atapi.sys]
several addresses in log replaced for security reasons (to avoid detection compromising).

edit:

tested with TDSSKiller from KL.
TDSS rootkit removing tool, Kaspersky Lab, 2010
version 2.2.8.1 Mar 22 2010 10:43:04

Scanning Services ...

Scanning Kernel memory ...
Driver "atapi" infected by TDSS rootkit!
File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... will b
e cured on next reboot

Completed

Results:
Memory objects infected / cured / cured on reboot: 1 / 0 / 0
Registry objects infected / cured / cured on reboot: 0 / 0 / 0
File objects infected / cured / cured on reboot: 1 / 0 / 1

To finalize removal of infection and avoid loosing of data program will
reboot your PC now.
Close all programs and choose Y to restart or N to continue
after reboot infection is alive.
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8
  • 40