Please read this post before you start posting in this thread.
This is thread about TDL3 infection, continuation of sysinternals thread.
There is another special dedicated thread about current TDL rootkit
TDL series common information
First topics with TDSS description:
TDL series was firstly discovered ITW in the middle of 2008. It was firstly mentioned in one of my articles at rootkit.com
Rootkit Unhooker v3.8 It's Past, Present and Future of the NTx86 Rootkit Detection
as one of the most dangerous rootkits available at that time.
TDL 1 (analysis by A_D_13)
Interesting new malware
Was using dirty tricks (FSD filter) to bypass RAW mode access to harddisks, especially for antirootkits.
TDL 2/2+ (analysis by A_D_13)
Interesting new malware, part 2
Introduced new aggressive self-protection, based on filtering IofCompleteRequest, IofCallDriver by whitelist of
access allowed drivers (rootkit was looking at call stack).
Currently has numerous copy-past clones:
_VOID
H8SRT
PRAGMA
4DW4R3 (aka BackDoor Triplex)
More info about 2 generation of this rootkit
TDSS analysis by eSage lab - RU
Case study: the TDSS rootkit - EN
TDL 3 (First appearance)
Rootkit TDL3 (TDL Reloaded)
Switched to virus alike behavior, hooking of miniport disk driver.
TDL 3 (analysis by t4L)
TDL3 - Why so serious? Let's put a smile on that face .. (dead link, use attach)
TDL 3/3+ (analysis by Dr.Web)
Russian PDF
English PDF
In this article also mentioned updated TDL3 version, switched from IRP handlers hooking to using special device object.
Note: all others papers from antivirus companies mostly copy-past of posted above.
TDL 3/3+ (analysis by ESET)
http://www.eset.com/resources/white-pap ... alysis.pdf
Covered latest available 3.27+ version ("random" driver infector), TDL fs structure and encryption.
TDL Family (analysis from Kaspersky Lab)
Russian http://www.securelist.com/ru/analysis/208050642/TDSS
English http://www.securelist.com/en/analysis/204792131/TDSS
Interesting info is about commercial part of all this story, affid and others are covered :).
TDL3 story from F-Secure
http://www.f-secure.com/weblog/archives ... f_TDL3.pdf
TDL4, Alureon: The First In The Wild 64-Bit Windows Rootkit
http://www.virusbtn.com/pdf/conference_ ... VB2010.pdf
In the middle of February 2010 this rootkit was revealed for significant number of it's victims.
After applying MS10-015 patch due to restrictions of TDL3 rootkit (several hardcoded values) machines with this rootkit installed became
unbootable (infinite loop of Blue Screens).
TDL 3 contained 2 ITW detected variants.
1. Main front-end rootkit with huge botnet. (user mode payload - tdlcmd.dll, TDL C&C library)
Contains two generations and about ~30 actual subversions, at moment of this topic starting, latest available was v3.273 (3 update of 27 version)
2. z00clicker.dll variant, based on the first TDL3 generation (z00clicker.dll is user mode payload C&C library)
Contains two generations including debug beta version (creates debug.txt while running).
TDL team playing in cat-mouse game with AV companies breaking detection by their special tools.
3.24 locked infected file at disk
3.25 fixed MS10-015 Blue Screen of Death
3.26 removed file locking
3.27 bypassed SPTI-based detectors (1.6 version of TDSSRemover, HitmanPro previous version)
3.271 bypassed bithack used by Kaspersky Lab in their TDSSKiller
3.272 added code integrity checking not allowing using bithacks
3.273 bypassed several detectors again (improved I/O filtering)
3.273 April 2010 edition, changed infection scheme resulting in bypassing most of public removers/detectors
4.0x August 2010 edition, TDL evolves to x64 (switched to bootkit techniques)
User mode component of this rootkit can be updated and usually it is updating independently from rootkit itself.
tdlcmd.dll contains configuration information (servers list) and handy routines to control behavior of the rootkit.
Rootkit can download additional files and store them inside it's own encrypted file system.
However infection itself can't be updated in current version of this rootkit.
TDL3/4 detectors & removers available for download
(+) latest TDL version removal supported
TDL3 affid (Affiliated id) description
Your contribution in reversing and harvesting this rootkit --> highly welcomed.
Thanks :)
This is thread about TDL3 infection, continuation of sysinternals thread.
There is another special dedicated thread about current TDL rootkit
TDL series common information
First topics with TDSS description:
TDL series was firstly discovered ITW in the middle of 2008. It was firstly mentioned in one of my articles at rootkit.com
Rootkit Unhooker v3.8 It's Past, Present and Future of the NTx86 Rootkit Detection
as one of the most dangerous rootkits available at that time.
TDL 1 (analysis by A_D_13)
Interesting new malware
Was using dirty tricks (FSD filter) to bypass RAW mode access to harddisks, especially for antirootkits.
TDL 2/2+ (analysis by A_D_13)
Interesting new malware, part 2
Introduced new aggressive self-protection, based on filtering IofCompleteRequest, IofCallDriver by whitelist of
access allowed drivers (rootkit was looking at call stack).
Currently has numerous copy-past clones:
_VOID
H8SRT
PRAGMA
4DW4R3 (aka BackDoor Triplex)
More info about 2 generation of this rootkit
TDSS analysis by eSage lab - RU
Case study: the TDSS rootkit - EN
TDL 3 (First appearance)
Rootkit TDL3 (TDL Reloaded)
Switched to virus alike behavior, hooking of miniport disk driver.
TDL 3 (analysis by t4L)
TDL3 - Why so serious? Let's put a smile on that face .. (dead link, use attach)
TDL 3/3+ (analysis by Dr.Web)
Russian PDF
English PDF
In this article also mentioned updated TDL3 version, switched from IRP handlers hooking to using special device object.
Note: all others papers from antivirus companies mostly copy-past of posted above.
TDL 3/3+ (analysis by ESET)
http://www.eset.com/resources/white-pap ... alysis.pdf
Covered latest available 3.27+ version ("random" driver infector), TDL fs structure and encryption.
TDL Family (analysis from Kaspersky Lab)
Russian http://www.securelist.com/ru/analysis/208050642/TDSS
English http://www.securelist.com/en/analysis/204792131/TDSS
Interesting info is about commercial part of all this story, affid and others are covered :).
TDL3 story from F-Secure
http://www.f-secure.com/weblog/archives ... f_TDL3.pdf
TDL4, Alureon: The First In The Wild 64-Bit Windows Rootkit
http://www.virusbtn.com/pdf/conference_ ... VB2010.pdf
In the middle of February 2010 this rootkit was revealed for significant number of it's victims.
After applying MS10-015 patch due to restrictions of TDL3 rootkit (several hardcoded values) machines with this rootkit installed became
unbootable (infinite loop of Blue Screens).
TDL 3 contained 2 ITW detected variants.
1. Main front-end rootkit with huge botnet. (user mode payload - tdlcmd.dll, TDL C&C library)
Contains two generations and about ~30 actual subversions, at moment of this topic starting, latest available was v3.273 (3 update of 27 version)
2. z00clicker.dll variant, based on the first TDL3 generation (z00clicker.dll is user mode payload C&C library)
Contains two generations including debug beta version (creates debug.txt while running).
TDL team playing in cat-mouse game with AV companies breaking detection by their special tools.
3.24 locked infected file at disk
3.25 fixed MS10-015 Blue Screen of Death
3.26 removed file locking
3.27 bypassed SPTI-based detectors (1.6 version of TDSSRemover, HitmanPro previous version)
3.271 bypassed bithack used by Kaspersky Lab in their TDSSKiller
3.272 added code integrity checking not allowing using bithacks
3.273 bypassed several detectors again (improved I/O filtering)
3.273 April 2010 edition, changed infection scheme resulting in bypassing most of public removers/detectors
4.0x August 2010 edition, TDL evolves to x64 (switched to bootkit techniques)
User mode component of this rootkit can be updated and usually it is updating independently from rootkit itself.
tdlcmd.dll contains configuration information (servers list) and handy routines to control behavior of the rootkit.
Rootkit can download additional files and store them inside it's own encrypted file system.
However infection itself can't be updated in current version of this rootkit.
TDL3/4 detectors & removers available for download
(+) latest TDL version removal supported
- Microsoft Security Essentials http://www.microsoft.com/security_essen ... fault.aspx
- TDSSKiller from Kaspersky Lab http://support.kaspersky.com/downloads/ ... killer.zip(+)
- TDSS Remover from eSage Lab http://www.esagelab.com/files/tdss_remover_latest.rar(+)
- Hitman Pro http://files.surfright.nl/HitmanPro35beta.exe(+)
- Hitman Pro x64 http://dl.surfright.nl/HitmanPro35beta_x64.exe(+)
- Dr.Web CureIt! ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe(+)
- Norman TDSS Cleaner http://download.norman.no/public/Norman ... leaner.exe
- TDL3 Razor by Tizer Secury http://www.tizersecure.com/about_TDL3_r ... remove.php
- Symantec FixTDSS http://www.symantec.com/content/en/us/g ... ixTDSS.exe
- ESET TDL cleaner http://download.eset.com/special/EOlmarikRemover.exe(+)
TDL3 affid (Affiliated id) description
- 20106 - rootkit installed with help of fake codecs
- 10438 - rootkit installed with help of cracks / keygens
- 11418 - rootkit installed with help of cracks / keygens (keygen.name as example)
- 20273 - rootkit installed through exploits
- 1. TDL samples must be archived and password-protected. Pasword can be "infected" or "malware".
All other samples can be deleted by administration without notice.
2. Please avoid of posting links to TDL fresh sites to keep them alive for harvesting.
3. Please do not post identical samples and links to out-dated information about TDL3
4. Please stay on topic (off-topic posts can be deleted without any notice).
Your contribution in reversing and harvesting this rootkit --> highly welcomed.
Thanks :)
Attachments
TDL 3 (analysis by t4L) PDF copy from rootkit.com
(779.03 KiB) Downloaded 100 times
(779.03 KiB) Downloaded 100 times
Ring0 - the source of inspiration
