A forum for reverse engineering, OS internals and malware analysis 

Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Forum for analysis and discussion about malware.

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #2375  by PX5
 Thu Aug 26, 2010 7:41 pm
No worries here, only respect, apologies for using profanity in the post, spec the emotions go the better of me this time, something about that human quality I cant seem to remove.

I spose if I dont get my focus back on work, it wont matter much anyways. :)

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #2380  by Maniac
 Thu Aug 26, 2010 11:41 pm
SUPERAntiSpyware 4.42.1000 Final

Changelog:
Resolves issue with McAfee and scanning "hang" on 64-bit systems
Enhanced "smart definitions" system resulting in improved detection of certain threats
Updated TDSS Detection/Removal Technology
Updated scanning engine (speed improvements)

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #2388  by EP_X0FF
 Fri Aug 27, 2010 4:17 am
Jaxryley wrote:Another sample.
dg.exe - 8/ 41 (19.5%) - MD5 : 8d8ae005b1d95e542a3369557febc2d8
This is classical TDL3+
[main]
version=3.273
quote=I felt like putting a bullet between the eyes of every panda that wouldn't screw to save it's species. I wanted to open the dump valves on oil tankers and smother all those french beaches I'd never see. I wanted to breathe smoke
botid=
affid=20787
subid=0
installdate=27.8.2010 4:15:52
builddate=27.8.2010 1:0:5
rnd=1993962763
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://nichtadden.in/;hxxps://91.212.226.67/;hxxps://li1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/;hxxps://lj1i16b0.com/
wspservers=hxxp://zl00zxcv1.com/;hxxp://zloozxcv1.com/;hxxp://71ha6dl01.com/;hxxp://axjau710h.com/;hxxp://rf9akjgh716zzl.com/;hxxp://dsg1tsga64aa17.com/;hxxp://l1i1e3e3oo8as0.com/;hxxp://7gafd33ja90a.com/;hxxp://n1mo661s6cx0.com/
popupservers=hxxp://clkh71yhks66.com/
version=3.941

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #2390  by EP_X0FF
 Fri Aug 27, 2010 5:55 am
USForce wrote:
EP_X0FF wrote:I assume further improvements because this rootkit version is very easy to remove. And it is really buggy, I can't get real machines free from debuggers to work after infection, only after mbr recovery.
Rootkit is simply bugged
It works pretty fine on x64, system is bootable.

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #2392  by EP_X0FF
 Fri Aug 27, 2010 6:26 am
Okay, dropper works as expected on x64. To bypass direct disk access restriction this dropper operates with \Device\HarddiskX\DrX device and rewrites MBR with IOCTL_SCSI_PASS_THROUGH_DIRECT DeviceIoControl request and after this it do immediately ExitWindowsEx with Reboot flag set.
Quite simple stuff, nothing zero day unfortunately.

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #2393  by Fabian Wosar
 Fri Aug 27, 2010 7:53 am
In case someone wants to take a closer look at the dropper I have attached an unpacked memory dump for static analysis. As EP_X0FF already mentioned the Dropper uses ZwOpenFile/ZwDeviceIoControlFile to write directly to the disk.
Attachments
Password: infected
(104.82 KiB) Downloaded 116 times

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #2396  by Fabian Wosar
 Fri Aug 27, 2010 10:50 am
More droppers are popping up currently. Mostly they just vary in the way they are packed and the config. For example:
http://www.virustotal.com/file-scan/rep ... 1282900525

File dump report:
Code: Select all
Trying to detect TDL3 ...

Memory Region Size: 0x1000
Memory Protection: 0x40
Memory Type: 0x20000
Memory State: 0x1000

Found TDL-3 shell code inside process. TDL-3 is running. Injected DLL:
\\?\globalroot\device\00000b9b\7112b3f1\cmd.dll

\\?\globalroot\device\00000b9b\7112b3f1\cfg.ini ...Success! (CRC: 0x8810dc9e)
\\?\globalroot\device\00000b9b\7112b3f1\config.ini ...Failed! (Errorcode: 2)
\\?\globalroot\device\00000b9b\7112b3f1\ldr16 ...Success! (CRC: 0x25447618)
\\?\globalroot\device\00000b9b\7112b3f1\ldr32 ...Success! (CRC: 0xe5d8dfe4)
\\?\globalroot\device\00000b9b\7112b3f1\ldr64 ...Success! (CRC: 0xbbcecddc)
\\?\globalroot\device\00000b9b\7112b3f1\drv32 ...Success! (CRC: 0xaf6d3dc4)
\\?\globalroot\device\00000b9b\7112b3f1\drv64 ...Success! (CRC: 0xc81b5de9)
\\?\globalroot\device\00000b9b\7112b3f1\kdmf.tmp ...Failed! (Errorcode: 2)
\\?\globalroot\device\00000b9b\7112b3f1\bckfg.tmp ...Success! (CRC: 0xaf0608eb)
\\?\globalroot\device\00000b9b\7112b3f1\cmd.dll ...Success! (CRC: 0xa20eac86)
\\?\globalroot\device\00000b9b\7112b3f1\cmd64.dll ...Success! (CRC: 0x925ba29e)
\\?\globalroot\device\00000b9b\7112b3f1\mbr ...Success! (CRC: 0xd0e85ed0)
\\?\globalroot\device\00000b9b\7112b3f1\keywords ...Failed! (Errorcode: 2)
Config:
Code: Select all
[main]
version=0.02
aid=30136
sid=0
rnd=1788223648
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=https://68b6b6b6.com/;https://61.61.20.132/;https://34jh7alm94.asia;https://61.61.20.135/;https://nyewrika.in/;https://rukkieanno.in/
wsrv=http://rudolfdisney.com/;http://crozybanner.com/;http://imagemonstar.com/;http://funimgpixson.com/;http://bunnylandisney.com/
psrv=http://cri71ki813ck.com/
version=0.11
bsh=62eb4acda396a529555436afc2d1c9cba44d2eef
delay=7200
csrv=http://lkckclckl1i1i.com/
If someone desperately needs more dropper samples, just drop me a PM or mail.
Attachments
Password: infected
(182.33 KiB) Downloaded 136 times
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 60
 Return to “Malware”