[gjf]

Some investigations using Hypersight tool concerning TDL3.

[Buster_BSA]

Some investigations using Hypersight tool concerning TDL3.

My doubt is if TDL3 was detected when it was running already on the system or if the rootkit detector was running and then the sample of TDL3 was launched.

It´s not the same to detect an already running rootkit than a non running rootkit.

[gjf]

It´s not the same to detect an already running rootkit than a non running rootkit.

Yes, you're right, but sometimes this very important information is missing.
And it should be taken into account that some malware has quite agressive self-defense which prevents starting ARKs in active infection stage.

[SecConnex]

Take a look at this: http://www.geekpolice.net/virus-spyware ... htm#151451

What in the world? 170 infected drivers?

[EP_X0FF]

This is very likely Symantec caused. Before trying any antirootkits first and main rule: uninstall/disable/remove any security products (Antiviruses, Firewalls, IPS) - because they are commercial rootkits and their activity trashing any kind of results from antirootkit.

[SecConnex]

Thanks. Changed my reply, to ask them to disable any active security, then re-run RKU. ;)

[Maniac]

SUPERAntiSpyware 4.90.1018 Pre-Release

· Faster scanning in both Quick and Complete Scan modes (varies on each system)
· Additional TDSS Detection/Removal (Stealth Rootkit/Removal Technology)
· Heuristic Engine speed increases
· Last update on the way to the 5.0 pre-release - MAJOR update! Many user requested features including super fast scanning and more!

[EP_X0FF]

http://www.superantispyware.com/product ... PYWAREFREE

07/21/2010 4.41.1000 Technology Changes

* Faster scanning in both Quick and Complete Scan modes (varies on each system)
* Additional TDSS Detection/Removal (Stealth Rootkit/Removal Technology)
* Heuristic Engine speed increases
* Last update on the way to the 5.0 pre-release - MAJOR update! Many user requested features including super fast scanning and more!

I tried SAS v4.41.1000 against TDL3 (see attach) and SAS found nothing.

[main]
version=3.273
quote=You people voted for Hubert Humphrey, and you killed Jesus
botid=
affid=20492
subid=0
installdate=29.7.2010 14:32:38
builddate=29.7.2010 12:27:23
rnd=1606980848
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://dujdinganx.in/;hxxps://91.212.226.67/;hxxps://nichtadden.in/;hxxps://li1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/;hxxps://lj1i16b0.com/
wspservers=hxxp://zl00zxcv1.com/;hxxp://zloozxcv1.com/;hxxp://71ha6dl01.com/;hxxp://axjau710h.com/;hxxp://rf9akjgh716zzl.com/;hxxp://dsg1tsga64aa17.com/;hxxp://l1i1e3e3oo8as0.com/;hxxp://7gafd33ja90a.com/;hxxp://n1mo661s6cx0.com/
popupservers=hxxp://clkh71yhks66.com/
version=3.941

http://www.virustotal.com/analisis/5e61 ... 1280413209

[Meriadoc]

Confirmed here, http://www.wilderssecurity.com/showthre ... ost1716070

I've never yet been able to detect TDL3 with SAS. Also many time I've tested SAS removing rootkits, it just lead to BSODs.

edit: made sas comment clearer.

[Quads]

I can also confirm that a week or so ago when I had SAS updated, I tried it on TDL3 without success of detection. (I didn't get a BSOD though)

I wonder if the TDSS update for SAS was for detection of TDL2 variants (PRAGMA, H8SRT, _VOID etc.)

Quads