A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1377  by USForce
 Fri Jul 02, 2010 12:31 pm
SAS is totally unable to detect TDL3 infection.

Eset SysInspector instead is able to detect the infected driver, despite what has been said before :) It is just a bit difficult to understand that the tool detected the infected file. Set the filter slide to 5/9 level and then click on "Drivers" entry on the left. Infected driver will appear there in yellow
 #1378  by Maniac
 Fri Jul 02, 2010 12:42 pm
USForce wrote:SAS is totally unable to detect TDL3 infection.
That's bad! :(
USForce wrote:Eset SysInspector instead is able to detect the infected driver, despite what has been said before :) It is just a bit difficult to understand that the tool detected the infected file. Set the filter slide to 5/9 level and then click on "Drivers" entry on the left. Infected driver will appear there in yellow
Able to detect it, but that it highlighted in yellow mean that fails to recognize it as malware. Should be in red color.
 #1379  by USForce
 Fri Jul 02, 2010 12:49 pm
Maniac wrote: Able to detect it, but that it highlighted in yellow mean that fails to recognize it as malware. Should be in red color.
As said before, it is not well highlighted actually, anyway it is able to detect something uncommon in the driver. This means it is able to detect the infected driver
 #1380  by bytejammer
 Fri Jul 02, 2010 12:56 pm
Is it able to remove? Or is it just detecting suspicious.

You should expect when a company releases a paper that its products reflect the state of their research at some point, I guess.
 #1381  by USForce
 Fri Jul 02, 2010 1:21 pm
SysInspector can only detect the suspicious file, but it doesn't implement any of removal features. I haven't tried Nod32 v4, maybe it is able to clean the infected file. I'll try it in a bit.

Anyway you are right: if a company releases a technical good paper as it is the Eset one, everyone would expect their software is able to remove the analyzed threat. Sadly, truth is that often Research & Development do not follow same steps. This is the case inside big companies, where sometimes researchers do not even talk to developers.
 #1383  by EP_X0FF
 Fri Jul 02, 2010 3:05 pm
Hi USForce,

TDL3 installed by dogma.exe (from post above) is totally undetected by SysInspector.
It is running under Virtual PC and shows nothing.

Infected driver is mouclass.sys

Other interesting fact - last update of SysInspector was before TDL3 ITW active launch.
Last updated on: 7.10.2009
So it's very out-dated and can't detect something like TDL3 by design.
RkU Version: 5.1.709.2270, Type VX2 (VX+)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
0x81DBFCC4 Page with executable code, size: 4096 bytes
0x81471291 Page with executable code [ ETHREAD 0x81FC4030 ] TID: 40, size: 3439 bytes
0x81470E25 Page with executable code [ ETHREAD 0x81FC4030 ] TID: 40, size: 475 bytes
0x81471024 Page with executable code [ ETHREAD 0x81FC4030 ] TID: 40, size: 4060 bytes
0x81DBC0B2 Page with executable code [ ETHREAD 0x81FC4610 ] TID: 56, size: 3918 bytes
0x81DBF6AE Page with executable code [ ETHREAD 0x81FC4610 ] TID: 56, size: 2386 bytes
0x81DC1D74 Page with executable code [ ETHREAD 0x81FC4610 ] TID: 56, size: 652 bytes
0xF8810000 WARNING: Virus alike driver modification [mouclass.sys] :: 0xF8814814, size: 24576 bytes
As fact I believe it just detect VBox driver. Perhaps it simple coincidence. This can be proven by taking a short test on VmWare of VPC.

edit:
SysInspector highlighted Rootkit Unhooker driver in yellow, probably because it was not on disk.


Regards.
Attachments
pic1.JPG
pic1.JPG (103.22 KiB) Viewed 434 times
 #1384  by USForce
 Fri Jul 02, 2010 3:27 pm
It doesn't just detect virtualbox, because it highlighted isapnp.sys at the next attempt, and it was actually infected by TDL3. Then, after I cleaned the infection, SysInspector didn't report that file anymore.
You are right that in fact SysInspector has not been updated to detect TDL3, but it actually detected sometimes the infected driver. I don't know what kind of check it is doing though. Maybe something that casually detected suspicious modification
 #1385  by EP_X0FF
 Fri Jul 02, 2010 4:22 pm
I'm refusing to believe in such mediocre product like SysInspector or ESET :)

Booted VmWare 7.1 + Windows XP SP3 (IDE mode) + TDL 3 (dogma.exe dropper).
TDL3 installed, system rebooted.
Scanned with SysInspector from official site.

Infected driver file is intelppm.sys (verified by RkU).

SysInspector detected (highlighted in yellow)
"VMware Vista Physical Disk Helper" = "c:\program files\vmware\vmware tools\vmrawdsk.sys" System ; Stopped ; ( 5: Unknown ) ;

Nothing else, TDL3 undetected.
 #1386  by Alex
 Fri Jul 02, 2010 4:31 pm
I've tested SysInspector on VmWare. It doesn't show infected driver as suspicious. I think that SysInspector checks few things to decides is file suspicious - version block, file path and maybe something else (EP). But if it doesn't implement low level disk reading mechanism it can't read infected file and check its version block or entry point, sections, ...

Alex
  • 1
  • 19
  • 20
  • 21
  • 22
  • 23
  • 40