A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2705  by SecConnex
 Wed Sep 08, 2010 7:19 pm
Thanks for confirming fatdcuk...

I can confirm the user I am helping has not had a history of the TDL infection.

Although, the TDL infection may institute a router exploit... the malware is probably being downloaded and executed via TDL3.

I would doubt that TDL authors would make their information so open, like these IP addresses show it...

http://hosts-file.net/default.asp?s=213.109.72.139

Take a look there at one example IP address on its range: 213.109.64.0 - 213.109.79.255

I am getting ready to PM MysteryFCM to have that added to hpHosts, since we have confirmed the addresses to be rogue DNS servers.
 #2706  by Crush
 Wed Sep 08, 2010 7:57 pm
Anyone know if this is just limited to home users or are the TDL morons really getting brave and going after corporate routers?
 #2707  by SecConnex
 Wed Sep 08, 2010 8:03 pm
Any router is infected.

No computer is 100% safe from malware threats, not even corporate networked computers. Actually, some corporations have a lot of trouble with malware. Which is why enterprise selling of antivirus products is so at-large.
 #2713  by InsaneKaos
 Thu Sep 09, 2010 1:54 pm
Maybe it possible, that TDL is sometimes hosting other Malware under its stealth. For expample: There is a malwareauthor who has written some crap, that changes the DNS of the router and he is willing to pay for the stealthy ability of TDL. So the Botmaster of a botnet adds this DNS-Changer to the TDL hidden filesystem and runs it from there. That could be a reason, why sometimes there are TDL infections with DNS changing ability and someteimes not.
 #2746  by InsaneKaos
 Mon Sep 13, 2010 1:38 pm
Looks like tdlcmd.dll has a new version
[main]
version=3.273
quote=Tempers are wearing thin. Let's hope some robot doesn't kill everybody
botid=a9e176b2-1f9a-4ff5-9e37-1e55f441663c
affid=40800
subid=0
installdate=13.9.2010 13:17:1
builddate=13.9.2010 13:1:3
rnd=1645522239
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://nichtadden.in/;hxxps://91.212.226.67/;hxxps://li1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/;hxxps://lj1i16b0.com/
wspservers=hxxp://zl00zxcv1.com/;hxxp://zloozxcv1.com/;hxxp://71ha6dl01.com/;hxxp://axjau710h.com/;hxxp://rf9akjgh716zzl.com/;hxxp://dsg1tsga64aa17.com/;hxxp://l1i1e3e3oo8as0.com/;hxxp://7gafd33ja90a.com/;hxxp://n1mo661s6cx0.com/
popupservers=hxxp://clkh71yhks66.com/
version=3.962
Dropper is unknown to any AVs

VT Dropper = http://www.virustotal.com/file-scan/rep ... 1284383726
VT tdlcmd.dll = http://www.virustotal.com/file-scan/rep ... 1284383917
Attachments
TDL3+
pw: infected

(83.81 KiB) Downloaded 109 times
 #2755  by LeastPrivilege
 Wed Sep 15, 2010 4:29 pm
1. Installed SAS v4.43.1000

"Updated TDSS Detection/Removal Technology"
"Updated definition (smart) heuristic engine"

2. Ran a scan on a TDL3 infected test box.

"No malicious items detected"

SAS is still blind.
  • 1
  • 20
  • 21
  • 22
  • 23
  • 24
  • 60