A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #967  by EP_X0FF
 Sat May 01, 2010 4:42 am
Updated to 3.747 (dropper attached), new configuration values.
[main]
quote=Everybody's a jerk. You, me, this jerk. That's just my philosophy
version=3.273
installdate=1.5.2010 4:35:54
builddate=30.4.2010 1:45:9
rnd=343818398
knt=1272689013
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://li1i16b0.com/;https://19js81030 ... n4cx00.cc/
wspservers=http://7gafd33ja90a.com/;http://n1mo661 ... 3kjf7.com/
version=3.747
VirusTotal
http://www.virustotal.com/ru/analisis/a ... 1272688871
http://www.virustotal.com/ru/analisis/f ... 1272688878
Last edited by EP_X0FF on Sat Jul 10, 2010 3:07 am, edited 1 time in total. Reason: removed attach (10 July 2010)
 #989  by cjbi
 Tue May 04, 2010 5:13 pm
Interesting blog post from Symantec.

The Trojan.Mebroot and Backdoor.Tidserv Crossover
The print processor names are the strings “TDL4” and “TDL5”, which are typically found in Tidserv samples, in particular the Tidserv installer was creating a print processor named “tdl”. The last version of Tidserv was named TDL3. By using these tags, is Mebroot trying to pretend to be a new Tidserv version? Are they just trying to throw smoke in the eyes of the analysts? Who knows!
 #990  by EP_X0FF
 Tue May 04, 2010 5:20 pm
Hehe, thanks for info, so it likely partially sold?
 #994  by Elite
 Wed May 05, 2010 6:47 pm
That might explain the lack of rootkit updates in TDL3+ funpack during the past month or two.

Also, is Symantec referring to Ghost Shadow or the old Mebroot (from a year or two ago, also know as Sinowal) in the above blog post?

It's going to be an interesting summer.
 #995  by gjf
 Wed May 05, 2010 7:07 pm
I don't understand you, guys. Yes, this Mebroot uses the same mechanism to overcome HIPS protection just like TDL3. Frankly speaking TDL3 moved a step further: it doesn't use AddPrintProcessor, but AddPrintProvidor.
So what? The author of bootkit studied a new effective way to drop the malware. There is no any mention about MBR modification and about kernel loader. No any information about rootkit mechanism. Some time ago Prevx "experts" informed about new bootkit version. And the only symptom they mentioned was:
If you haven't installed Prevx and you want to check if your system is infected by MBR rootkit, it's possible to check inside Windows directory, under the Temp subdirectory (%windir%\Temp) for the presence of a hidden file with its name starting with "$$$". If there is such fle, your PC could be affected by the MBR rootkit.
It is very clever! I believe Prevx thinks they are the best AV vendor at the market after such wise words :)

The same - at Symantec. No real study of the rootkit activity, but dropping mechanism "has caught eyes".
 #996  by EP_X0FF
 Thu May 06, 2010 4:48 am
Some time ago Prevx "experts" informed about new bootkit version.
Hehe, I never considered Giuliani's words by truth. Especially when he found relation between callbacks and $$$ =)
This is comedy section from MD5 calculator writers.
 #999  by obse
 Thu May 06, 2010 1:29 pm
Elite wrote:That might explain the lack of rootkit updates in TDL3+ funpack during the past month or two.
They keeped updated, but don't change the version number. For example they change the place for "magic" const, now it is inside srb packed :lol:
Elite wrote:Also, is Symantec referring to Ghost Shadow or the old Mebroot (from a year or two ago, also know as Sinowal) in the above blog post?
"Ghost Shadow" very buggy chinese malware :) infected system is very unstable
symantec talk about old mebroot
 #1000  by notkov
 Thu May 06, 2010 1:54 pm
obse wrote:They keeped updated, but don't change the version number. For example they change the place for "magic" const, now it is inside srb packed :lol:
Do you have a sample?

Thank you.
 #1002  by EP_X0FF
 Thu May 06, 2010 3:14 pm
Hello,

there is no need to ask for samples that are multiple attached in this thread at previous pages.

Regards.
 #1004  by notkov
 Thu May 06, 2010 4:35 pm
[main]
quote=Everybody's a jerk. You, me, this jerk. That's just my philosophy
version=3.273
botid=55045ff5-72b5-4a95-8c6b-5e958b314602
affid=20082
subid=0
installdate=6.5.2010 16:5:57
builddate=4.5.2010 20:10:5
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://li1i16b0.com/;https://19js81030 ... n4cx00.cc/
wspservers=http://7gafd33ja90a.com/;http://n1mo661 ... 3kjf7.com/
popupservers=http
version=3.741
VirusTotal:
http://www.virustotal.com/analisis/9ce9 ... 1273163214

Nice strings inside:
"Hello Semantec :) Nice to meet you here"
"Semantec, I love you :)"
Attachments
you know the pass...
(85.3 KiB) Downloaded 89 times
  • 1
  • 11
  • 12
  • 13
  • 14
  • 15
  • 40