A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1472  by EP_X0FF
 Sun Jul 11, 2010 4:43 pm
DragonMaster Jay wrote:How much more relentless can the TDL authors become, before they give up?
If they have a good profit (and they are) usually the same dev team can work on such kind of rootkits for a years. This is not script-kiddie trojan development, as in fact dev of alureon had supreme or equal knowledge in comparison with any dev teams from av vendors. TDL3 currently looks like moved from active development to simple support. This can mean - losing main developer(s) or/and starting new project. TDL3 alike rootkit R&D is about 4-5 month by 1-2 senior developers.
 #1473  by sww
 Mon Jul 12, 2010 9:05 am
And i want to add a word. I think, that sources of TDL3 were sold (max++, z00clicker cases).
 #1485  by nullptr
 Tue Jul 13, 2010 2:27 pm
Avinash wrote:Probably New Sample
version=3.273
quote=Everybody's a jerk. You, me, this jerk. That's just my philosophy
botid=1ac4685b-bf11-4c7c-939f-84930ea69dcc
affid=20694
subid=0
installdate=13.7.2010 14:8:14
builddate=12.7.2010 9:9:41
rnd=790525478
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://19js810300z.com/;hxxps://lj1i16b0.com/;hxxps://li1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/
wspservers=hxxp://zl00zxcv1.com/;hxxp://zloozxcv1.com/;hxxp://71ha6dl01.com/;hxxp://axjau710h.com/;hxxp://rf9akjgh716zzl.com/;hxxp://dsg1tsga64aa17.com/;hxxp://l1i1e3e3oo8as0.com/;hxxp://7gafd33ja90a.com/;hxxp://n1mo661s6cx0.com/
popupservers=hxxp://clkh71yhks66.com/
version=3.941
Just reencrypted. :)
 #1490  by SecConnex
 Tue Jul 13, 2010 5:47 pm
What are the latest characteristics of the infection?

Is it only just infecting a random driver?

The latest I see is that it just does one random driver.
 #1491  by EP_X0FF
 Tue Jul 13, 2010 6:25 pm
Yes, the same characteristics as before + infecting random driver. Nothing new since March-April 2010.
Active infection is still undetectable by almost all AV.
 #1492  by SecConnex
 Tue Jul 13, 2010 6:33 pm
Cool. It appears their main motive is to keep their backdoor in place and hide it.

I would not put it past them to teaming with other malware authors in the future to make an even larger and undetectable threat.
 #1514  by Jaxryley
 Wed Jul 14, 2010 3:45 pm
May have morphed ?
Code: Select all
hxxp://ad.ghura.pl/dm.exe
hxxp://ad.ghura.pl/rus.php
dm.exe - 9/40 - MD5...: 53331d697c4e15f14a404f709d294db3
http://www.virustotal.com/analisis/76e5 ... 1279121442

rus.php - 13/42 - MD5...: df07010fd8a297bfc380ef5668a7876d
http://www.virustotal.com/analisis/4c01 ... 1279121453
Pass:
infected

(111.46 KiB) Downloaded 68 times
 #1516  by USForce
 Wed Jul 14, 2010 5:08 pm
Looks like the driver code has been slightly changed, even if the release number is still 3.273. In fact, eSage TDSS Remover detection routine doesn't work anymore. It seems that TDL3 added self-defense routine against such attack.

There isn't any other major change and TDL3 is still easily detectable.
 #1519  by EP_X0FF
 Wed Jul 14, 2010 5:42 pm
Cannot reproduce :?

I made quick test.

Clean machine, from repository, XP SP3.

infected machine with this sample, file: termdd.sys, rebooted.
installed tdss remover, rebooted when asked
scanned with tdss remover, it detected tdl3, "fixed it", rebooted.

After reboot tdl3 is successfully removed.
  • 1
  • 24
  • 25
  • 26
  • 27
  • 28
  • 40