Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik) - Page 52

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

#8268 by EP_X0FF
Thu Aug 25, 2011 1:04 pm

markusg wrote:30295c39e47ebd08529ea2e8cac4b8f31e4b2.exe
MD5 : c39e47ebd08529ea2e8cac4b8f31e4b2
http://www.virustotal.com/file-scan/rep ... 1314274034

TDL4 with updated cmd.dll

[main]
version=0.03
aid=30295
sid=0
builddate=351
installdate=25.8.2011 13:2:37
rnd=198569797
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.29

Attachments

Malware.rar

pass: malware
(90.99 KiB) Downloaded 81 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

#8317 by vennemars-alex
Sun Aug 28, 2011 9:13 pm

Sry, for questioning.

The bootblock of tdss 4 I could handle with bochs, but how did u all get to that single parts (bootblock, dll etc.)?

The problem I have is the crypter. How did u pass it? For Stuxnet I could get the dll at a certain moment by dbg wit olly.

But what's the general pathway for extracting such parts, passing the crypter? (Eg the ole morphine)

Username

vennemars-alex

Posts

6

Joined

Sat Jun 11, 2011 10:53 pm

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

#8320 by nullptr
Mon Aug 29, 2011 6:27 am

TDL4 with updated cmd.dll, cmd64.dll and drv64.

Code: Select all

[main]
version=0.03
aid=30291
sid=0
builddate=351
installdate=
rnd=3644762925
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;
    hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;
     hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.30

Dropper and everything in attachment.

Attachments

TDL4_pwm.zip

pwd: malware
(240.88 KiB) Downloaded 89 times

Username

nullptr

Posts

209

Joined

Sun Mar 14, 2010 6:35 am

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

#8394 by rossetoecioccolato
Sun Sep 04, 2011 12:02 am

Could you add the boot sector, please? Apparently they are not all the same.

Username

rossetoecioccolato

Posts

29

Joined

Sat Apr 10, 2010 2:09 pm

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

#8395 by EP_X0FF
Sun Sep 04, 2011 12:41 am

rossetoecioccolato wrote:Could you add the boot sector, please? Apparently they are not all the same.

Apparently not, they are the same.

This is infected by nullptr dropper MBR, this is one of the test machines used for tdl4 farming.

http://www.virustotal.com/file-scan/rep ... 1308128163

First seen: 2011-05-27 09:29:16

as you see zero changes.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact