[SecConnex]

Thanks for confirming fatdcuk...

I can confirm the user I am helping has not had a history of the TDL infection.

Although, the TDL infection may institute a router exploit... the malware is probably being downloaded and executed via TDL3.

I would doubt that TDL authors would make their information so open, like these IP addresses show it...

http://hosts-file.net/default.asp?s=213.109.72.139

Take a look there at one example IP address on its range: 213.109.64.0 - 213.109.79.255

I am getting ready to PM MysteryFCM to have that added to hpHosts, since we have confirmed the addresses to be rogue DNS servers.

[Crush]

Anyone know if this is just limited to home users or are the TDL morons really getting brave and going after corporate routers?

[SecConnex]

Any router is infected.

No computer is 100% safe from malware threats, not even corporate networked computers. Actually, some corporations have a lot of trouble with malware. Which is why enterprise selling of antivirus products is so at-large.

[InsaneKaos]

Maybe it possible, that TDL is sometimes hosting other Malware under its stealth. For expample: There is a malwareauthor who has written some crap, that changes the DNS of the router and he is willing to pay for the stealthy ability of TDL. So the Botmaster of a botnet adds this DNS-Changer to the TDL hidden filesystem and runs it from there. That could be a reason, why sometimes there are TDL infections with DNS changing ability and someteimes not.

[LeastPrivilege]

DragonMaster Jay said:
Which is why enterprise selling of antivirus products is so at-large.

I just wish this security method still worked. I deal with these issues every day.

[Brookit]

eSage TDSS remover update:

Code: Select all

08.09.2010 TDSS REMOVER UPDATE
TDSS Remover version 1.8 released.
New in this version:

    * Bootkit.TDSS detection and removal
    * x64 operating systems support. 

http://esagelab.com/files/tdss_remover_latest.rar

[InsaneKaos]

Looks like tdlcmd.dll has a new version

[main]
version=3.273
quote=Tempers are wearing thin. Let's hope some robot doesn't kill everybody
botid=a9e176b2-1f9a-4ff5-9e37-1e55f441663c
affid=40800
subid=0
installdate=13.9.2010 13:17:1
builddate=13.9.2010 13:1:3
rnd=1645522239
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://nichtadden.in/;hxxps://91.212.226.67/;hxxps://li1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/;hxxps://lj1i16b0.com/
wspservers=hxxp://zl00zxcv1.com/;hxxp://zloozxcv1.com/;hxxp://71ha6dl01.com/;hxxp://axjau710h.com/;hxxp://rf9akjgh716zzl.com/;hxxp://dsg1tsga64aa17.com/;hxxp://l1i1e3e3oo8as0.com/;hxxp://7gafd33ja90a.com/;hxxp://n1mo661s6cx0.com/
popupservers=hxxp://clkh71yhks66.com/
version=3.962

Dropper is unknown to any AVs

VT Dropper = http://www.virustotal.com/file-scan/rep ... 1284383726
VT tdlcmd.dll = http://www.virustotal.com/file-scan/rep ... 1284383917

[LeastPrivilege]

1. Installed SAS v4.43.1000

"Updated TDSS Detection/Removal Technology"
"Updated definition (smart) heuristic engine"

2. Ran a scan on a TDL3 infected test box.

"No malicious items detected"

SAS is still blind.

[Jaxryley]

For perusal.

9d3037_2.exe - 21 /43 (48.8%) - MS Trojan:Win32/Alureon.EC - MD5 : 98a603213a007eeb355778d274de26b5
http://www.virustotal.com/file-scan/rep ... 1284591735

Drops a 3cE931eI.dll
http://www.virustotal.com/file-scan/rep ... 1284592137

9d3037_2 and DLL.rar

(241.26 KiB) Downloaded 90 times

[Quads]

Another tool, http://www.symantec.com/content/en/us/g ... ixTDSS.exe

I have not tested what it does with TDL3+ and what it does to the patched files, let alone the latest TDL

I am in the New Zealand Earthquake zone, getting shaken left right and center

Quads