Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik) - Page 47

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

#6608 by gjf
Wed Jun 01, 2011 1:52 pm

Looks like TDL4 obtains new infector mechanism. Unfortunately the article is in Russian.

Last edited by gjf on Wed Jun 01, 2011 4:56 pm, edited 1 time in total.

VirusInfo / Defendium / SafeZone Helpers Crew

Username

gjf

Posts

198

Joined

Mon Mar 15, 2010 10:23 am

Location

Where I lay my head is home

Contact

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

#6614 by axl
Wed Jun 01, 2011 4:37 pm

Do you have this sample?

gjf wrote:Looks like TDL obtains new infector mechanism. Unfortunately the article is in Russian and there is no information does it concern TDL4 or TDL3.

Username

axl

Posts

5

Joined

Thu Apr 15, 2010 6:40 pm

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

#6616 by gjf
Wed Jun 01, 2011 4:43 pm

No. But I believe someone will post it in near days.

VirusInfo / Defendium / SafeZone Helpers Crew

Username

gjf

Posts

198

Joined

Mon Mar 15, 2010 10:23 am

Location

Where I lay my head is home

Contact

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

#6617 by CodeAddiction
Wed Jun 01, 2011 7:55 pm

"TDSS, for self-propagation through the network uses the most dangerous vulnerability in the computer - the user."

Yes. Very true.

Username

CodeAddiction

Rank

Banned

Posts

15

Joined

Tue Apr 26, 2011 3:30 pm

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

#6620 by Fabian Wosar
Wed Jun 01, 2011 11:16 pm

I just went through our submits and found a sample we got submitted yesterday. While the Kaspersky detection name doesn't match the general behavior is the same (scanning the sub net for free addresses, downloading TDL-4 as a payload, original file name was update.exe) so I assume this is a variant of the malware the blog post is talking about.

Detection of the downloader:

http://www.virustotal.com/file-scan/rep ... 1306968878

The detection of downloaded TDL-4 dropper (downloaded from http://94.60.123.34/service/scripts/files/aff_50045.dll):

http://www.virustotal.com/file-scan/rep ... 1306969204

Both the dropper as well as the downloader are included in the attachment.

Attachments

samples.rar

infected
(152.12 KiB) Downloaded 102 times

Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

Username

Fabian Wosar

Posts

88

Joined

Thu Aug 26, 2010 8:23 am

Location

Germany

Contact

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

#6624 by gjf
Thu Jun 02, 2011 7:02 am

Here is that infector.

Attachments

Net-Worm.Win32.Rorpian.7z

infected
(14.98 KiB) Downloaded 84 times

VirusInfo / Defendium / SafeZone Helpers Crew

Username

gjf

Posts

198

Joined

Mon Mar 15, 2010 10:23 am

Location

Where I lay my head is home

Contact

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

#6633 by PX5
Thu Jun 02, 2011 10:25 am

Why so interesting, Vobfus started calling in TDL4 as part of its payload and working mechanism back in early march of 2010.

Why this author talk like no other network worm ever called in TDL4 before?

Or is it just too early and I have not had enough coffee?

Arrogance led me to my Ignorance

Username

PX5

Posts

144

Joined

Thu Apr 29, 2010 1:14 am

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

#6701 by Petra
Mon Jun 06, 2011 9:07 am

In the meantime the article exists also in English, see here

Username

Petra

Posts

2

Joined

Thu Nov 18, 2010 3:37 am

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

#6712 by markusg
Tue Jun 07, 2011 11:14 am

dll.exe
http://www.virustotal.com/file-scan/rep ... 1307444423

Attachments

dll.rar

(142.9 KiB) Downloaded 65 times

Username

markusg

Posts

737

Joined

Mon Mar 15, 2010 2:53 pm

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

#6714 by EP_X0FF
Tue Jun 07, 2011 12:00 pm

markusg wrote:dll.exe
http://www.virustotal.com/file-scan/rep ... 1307444423

[main]
version=0.03
aid=30041
sid=0
builddate=351
rnd=1960408961
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.175

nothing new.

Attachments

Malware.rar

pass: malware
(76.35 KiB) Downloaded 65 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact