A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2165  by Meriadoc
 Sat Aug 21, 2010 1:49 pm
EP_X0FF wrote:Probably this is only debug versions :)

"we gonna make our own tdl4! With blackjack and hookers"

lol
Lol, 'In fact, forget tdl4.' :)
 #2196  by SecConnex
 Mon Aug 23, 2010 2:31 am
Keep in mind, PatchGuard is only a barrier...not a total block. It keeps user-mode malware from patching the kernel. But, what about kernel-mode malware? Cannot help that.

No matter what, if a kernel driver attempts to intercept with another kernel driver with the correct instructions, it's going to override PatchGuard.

As long as descriptor tables do not get modified, or patching kernel code, malware can get in.
 #2198  by EP_X0FF
 Mon Aug 23, 2010 3:43 am
Dropper of this new TDL is priority target. This TDL includes (at it's FS) two workable loaders - one for 32 (ldr32) and one for 64 (ldr64), it also keeps copy of original mbr now (like with resource section earlier). Any clue how it installs on x64?
 #2199  by SecConnex
 Mon Aug 23, 2010 4:57 am
There definitely has to be a spot, which the malware authors have found that is vulnerable. And the best time to strike, would be when Microsoft is busiest dealing with other vulnerabilities.


NtQueryVirtualMemory?


Looks like malware authors purchased/stole a new certificate.

Look at this: http://fyyre.ivory-tower.de
 #2202  by EP_X0FF
 Mon Aug 23, 2010 6:09 am
And? What is the point in this function? Bootkit solves all problems with certificates. There is no need to steal what you simple don't need.
 #2215  by DiskOgre
 Mon Aug 23, 2010 6:26 pm
I find it hard to believe that the source would be sold. This rootkit is far too profitable and effective, and the changes are obviously big and done by professionals. Seems to me that this is just the test run of what's likely to be TDL4, working-out the kinks before it replaces TDL3 entirely.

Now, to find a dropper...
 #2217  by Fyyre
 Mon Aug 23, 2010 8:28 pm
PEAUTH need not be set to manual, that is something I found out later, but never bothered to update the original document.

If TDL authors received any inspiration from my bootkit_fasm, then I will say "neat". I am glad someone is able to apply this idea elsewhere..

-Fyyre
Stoned wrote:You actually know that 64-bit drivers must be signed? Without stealing a certificate or abusing an already signed driver there are bootkits the only way to get in.
Code: Select all
;To disable driver signature enforcement requires service PEAUTH set to Manual or Disabled.
;
;SepInitializeCodeIntegrity calls CIInitialize in CI.dll, if we do not manual/disable the
;service PEAUTH (peauth.sys), a BSOD will occur at the logon screen.  (peauth calls invalid
;memory).
 #2220  by a_d_13
 Tue Aug 24, 2010 2:26 am
Hello,

I can now confirm that the latest TDL3 has a working 64-bit driver. It supports injecting into 32- and 64-bit processes from kernel-mode, and is capable of hiding data just like the 32-bit version.

Thanks,
--AD
 #2221  by EP_X0FF
 Tue Aug 24, 2010 3:53 am
The same LoadImage notify routine, the same APC, and added logic to determine type of process to inject.
Ironically it appears that 32 bit Windows is more protected than x64.

Welcome to x64 rootkits era.
Elite wrote:So has the source been sold?
Long time ago, remember z00clicker version? :)

I believe time from April to August was used to create this cross-platform TDL. Four month is very matching to required R&D. This explains why was nothing new from tdl stuff these time.
And currently we watch some sort of beta releases.
  • 1
  • 34
  • 35
  • 36
  • 37
  • 38
  • 40