[EP_X0FF]

6.00.2.04010 it was CureIt (I should mention this in first post).

[gjf]

One of sources of infection: it becames quite active as for my work network :)
You will obtain a spam:

SMTP and POP3 servers for your@e-mail.here mailbox are changed. Please carefully read the attached instructions before updating settings.

http://deletedhost/card.zip

Sometimes the e-mail has an attachment, sometimes - just a link.

API calls during infection of sandbox is attached

LOG_API.zip

(3.36 KiB) Downloaded 56 times

As you can see possible malware founds some tricks in explorer.exe handle and shuttes down. OK, will try to fool it at home, I have some ideas :)

So after infection of virtual machine all works as allways - after reboot TDL3 tries to reach the following URL:
[url]hxxp://clkmfd001.ws/EzZ2IfCl5C3qZJU0Y2xrPTEuMjEmYmlkPWU3MWM1MWY2LTUxNTEtNDFkMS1hMjk1LTRlMDUwMTMyMDNmMiZhaWQ9MjAxMDUmc2lkPTAmcmQ9MTguNS4yMDEw16c[/url]

The most interesting: eSage utility found the infection but after reboot could not delete it! I will try to repeat it at home, because this is something unusual.

Kaspersky TDSS Killer effectively removed the malware. BTW Kaspersky detects the sample only by heuristic engine at the time of thie post publication.

The sample is attached also.

card.7z

(80.88 KiB) Downloaded 81 times

[gjf]

I beg a pardon from eSage - that was false alarm becaues eSage remover still works well. Don't know what was wrong at first run, but all other tries were successful.

So, ini is as follows:

Code: Select all

[main]
quote=Tempers are wearing thin. Let's hope some robot doesn't kill everybody
version=3.273
botid=e71c51f6-5151-41d1-a295-4e05013203f2
affid=20105
subid=0
installdate=18.5.2010 15:39:56
builddate=18.5.2010 6:47:35
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://li1i16b0.com/;https://19js810300z.com/;https://lj1i16b0.com/;https://zz87jhfda88.com/;https://n16fa53.com/;https://01n02n4cx00.cc/
wspservers=http://7gafd33ja90a.com/;http://n1mo661s6cx0.com/;http://30xc1cjh91.com/;http://j00k877x.cc/;http://m01n83kjf7.com/
popupservers=http
version=3.741

Dll detection, infected driver detection.

No news actually :(

[PX5]

Found some new batch of loaders, so far no cleaner I can find works, allthough an educated tour of rku lead me to a neat little trick to ID the actual infected driver.

I dont use VM for realtime testing, wont us VBox either, still too unstable, only use live, indeed Im sure it is infected but Kaspersky only farts in wind, Norman only wants to clean it over and over and over, CureIT, Pffft, 20MB dload to kill one infection, which I suspect it will fail too, the loaders at seriall will catch up maybe soon so all can have a play.

Odd in a VM I have no problems, actually have no problems in VBox cause it only BSOD on load, so defeat self. :lol:

Makes working in a support dept really suck sometimes, when I see certain messages about this infection, I suddenly have desire to go and mow the lawn or take the wife to dinner and i dont really even like my wife that much.

[EP_X0FF]

It was beta version.

Which one - was? CureIt! in past or DrWeb (which able to cure TDL3) now?

I've retested Dr.Web Antivirus 6.0 from 28.04.2010 (downloaded from official site) against TDL3+.
Dr.Web has been updated to newest bases from 19.05.2010, newest components and has version 6.00.2.05140.
TDL3+ dropper has been updated to latest to make sure it won't be detected by signatures/heur.

[main]
quote=Tempers are wearing thin. Let's hope some robot doesn't kill everybody
version=3.273
botid=
affid=
subid=0
installdate=19.5.2010 3:39:15
builddate=19.5.2010 3:35:45
rnd=823518204
[injector]
*=tdlcmd.dll
[tdlcmd]
version=3.75

It can't detect/remove TDL3. Actually all what it was able to detect - mapped tdlcmd.dll as BackDoor.Tdss.565

Note: as you see with new tdlcmd there are no ip's and servers list now in config.ini, who want them, here they are

hxxps://873hgf7xx60.com
hxxps://34jh7alm94.asia
hxxps://112.121.181.26
hxxps://61.61.20.132
hxxps://68b6b6b6.com
hxxps://1iii1i11i1ii.com
hxxps://0o0o0o0o0.com
hxxp://mfdclk001.org
hxxp://lk01ha71gg1.cc
hxxp://zl091kha644.com
hxxp://a74232357.cn
hxxp://a76956922.cn
hxxp://91jjak4555j.com
hxxp://cri71ki813ck.com

Test sample attached.
http://www.virustotal.com/analisis/1531 ... 1274240886

[gjf]

It can't detect/remove TDL3. Actually all what it was able to detect - mapped tdlcmd.dll as BackDoor.Tdss.565

It is exactly what I've tried to tell you, pal! :) Looks like there is no any "product" antivirus which is able to cure active infection. All vendors tries to produce some dedicatedtools to remove TDL3, but this tools use new technologies, sometimes not too stable. That's why they are not hurry to merge it with "products", I believe.

[PX5]

LOL@CureIt

It was worth the 30MB dload but on infected machine, you never reach this site, marco had to dload it for me and send it over, immediatly IDed TDL3 and erdadicated it.

Kudos to RKU LE, I wish I had learn to use this tool very long time ago, so many nice and useful functions, great job my friend. :D

Reboot and retest will tell story.

[gjf]

Concerning the last version - Norman TDSS Cleaner and eSage TDSS Remover effectively removes the infection. I was informed that Kaspersky TDSS Killer fails to do it in present time.

Maybe it would be interesting, but rootkit connects not only with servers in config. In my experiment config was as follows:

Code: Select all

[main]
quote=Dude, meet me in Montana XX00, Jesus (H. Christ)
version=3.273
botid=e71c51f6-5151-41d1-a295-4e05013203f2
affid=11418
subid=0
installdate=19.5.2010 9:52:49
builddate=19.5.2010 3:35:45
rnd=507921405
[injector]
*=tdlcmd.dll
[tdlcmd]
version=3.75
delay=7200
servers=https://873hgf7xx60.com/;https://34jh7alm94.asia/;https://112.121.181.26/;https://61.61.20.132/;https://68b6b6b6.com/;https://1iii1i11i1ii.com/;https://0o0o0o0o0.com/
wspservers=http://lk01ha71gg1.cc/;http://zl091kha644.com/;http://a74232357.cn/;http://a76956922.cn/;http://91jjak4555j.com/
popupservers=http://cri71ki813ck.com/
clkservers=http://lkckclckl1i1i.com/

but rootkit tried to connect

Code: Select all

http://mfdclk001.org/Cke141lP7b5qHIc5Y2xrPTEuNiZiaWQ9ZTcxYzUxZjYtNTE1MS00MWQxLWEyOTUtNGUwNTAxMzIwM2YyJmFpZD0xMTQxOCZzaWQ9MCZyZD0xOS41LjIwMTA=15x

Please note there was no mfdclk001.org in config (but possibly some of hosts just redirects there).

Injected dll, infected driver.

[EP_X0FF]

mfdclk001.org is hardcoded inside tdlcmd.dll

[gjf]

mfdclk001.org is hardcoded inside tdlcmd.dll

213.163.89.104

213.163.89.0 - 213.163.89.127

High Secured Space Network Group

Tom Holder
NL-3514 AA Naaldwijk, Postbus 65, The Netherlands
phone: +31 175 541021
tom@highsecuredspace.org