A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #5754  by NOP
 Wed Mar 30, 2011 4:27 pm
@markusg: I don't think there is any point in posting the same repacked sample over and over. The last 2 files you posted are identical except slightly different (probably polymorphic) packer code.
 #5755  by EP_X0FF
 Wed Mar 30, 2011 4:28 pm
@freyr

The TDL packer is nothing special. As NOP already said you can retrieve all sensitive data (drv loader, cmd.dll (UPX), cmd64.dll (MPRESS) except cfg.ini because it constructs by cmd.dll in runtime) by simple dumping to disk whole allocated region. However unpacking each TDL sample is quite boring, so automatic tools for TDL data extraction/analysis were developed long time ago (starting from earlier 3.x versions) - all them work (or should) until now and cannot be bypassed by this rootkit due to rootkit own design. You can look for code posted by Fabian Wosar somewhere in the beginning of this thread.

Latest posted sample extracted data in attach.
[main]
version=0.03
aid=30040
sid=0
builddate=351
rnd=1229272821
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.15
Attachments
pass: malware
(67.49 KiB) Downloaded 84 times
 #5803  by EP_X0FF
 Sun Apr 03, 2011 3:29 am
Post removed, see thread posting rules, page 1.
3. Please do not post identical samples and links to out-dated information about TDL4
If you not sure what sample do you have - please do the small initial analysis (in VM/Sandbox etc) instead of just attaching it here. There is nothing new in TDL4 copy-pasted version for a long time, so there is no sense in samples of the same kind. VT scan results always will be entertainment because everybody knows that signatures and so-called generic detections/heur simple sucks.
 #5919  by EP_X0FF
 Wed Apr 13, 2011 11:00 am
Blur wrote:I think this probably affects DisableDriverSigning bcd entry, to stop windows cracks from working.
http://blogs.technet.com/b/srd/archive/ ... dates.aspx
The second advisory, KB 2506014, hardens Windows against kernel-mode rootkits. This specifically breaks the hiding mechanism used by the current Alureon/TDL4 rootkit family. It is an optional update available on WU and WSUS.
 #5922  by USForce
 Wed Apr 13, 2011 11:41 am
Blur wrote:I think this probably affects DisableDriverSigning bcd entry, to stop windows cracks from working.
I don't think so. WinPE mode must allows unsigned drivers otherwise Microsoft would break many things. I think they fixed how Winload.exe is loading kernel and its dependencies (kdcom.dll, hal.dll, bootvid.dll) by forcing it to load only signed drivers not matter what says the BCD configuration.

I think the situation before this patch was:

BCD -> DriverSigningOption
Winload.exe -> Read BCD and check DriverSigningOption. If Driversigning is enabled, it checks for digital signature on kernel and its dependencies; otherwise it doesn't do any check and just load the kernel
kernel -> will use DriverSigning or not based on the parameters passed by winload.exe (/MININT)

The situation now should be:

BCD -> DriverSigningOption
Winload.exe -> no matter what is the BCD configuration, winload will always check for digital signatures on kernel and its dependencies
kernel -> will uses DriverSigning or not based on the parameters passed by winload.exe (/MININT)

TDL4 was exploiting this situation, by changing the BCD configuration so that Winload could load unsigned drivers as well and restoring the option by changing again the /MININT to IN/MINT
 #5980  by freyr
 Mon Apr 18, 2011 10:59 pm
Theoretically it may now use BcdLibraryBoolean_DisableIntegrityCheck,
and identify kdcom.dll by new export table size. So I think MS make a mistake,
becouse if tdl authors will go by the simple way, infected machine's will be affected to load
unsigned drivers from any "vx-vendors".
  • 1
  • 39
  • 40
  • 41
  • 42
  • 43
  • 60