[EP_X0FF]

Please read this post before you start posting in this thread.

This is thread about TDL4 infection, use the following link for
TDL series common information and TDL3 detailed description, discussion

TDL4 common information

First kernel mode rootkit compatible with x64 Windows.

Note: After "re-discovering" WinNT/Turla in the beginning of 2014 this title is no longer valid, as Turla is about one year older Win64 compatible kernel mode rootkit

Uses bootkit technique to load itself and bypass drivers signing restriction on x64
Uses payload C&C dll injection (cmd.dll for x86 and cmd64.dll for x64).
To keep it's data uses own VFS where stored following files:

• cfg.ini (configuration text file, replaced previously used config.ini)
• cmd.dll (payload dll to be injected into x86 processes)
• cmd64.dll (the same but for x64)
• mbr (copy of original main boot record)
• ldr16 (rootkit loader parts, gets control from infected mbr and provides further rootkit loading)
• ldr32 (rootkit driver, representing fake KD dll, responsible for loading main rootkit driver)
• ldr64 (ldr32 version for x64 systems)
• drv32 (main rootkit driver, VFS support, modifications hiding)
• drv64 (drv32 version for x64 systems)

may store additional files or payload downloaded by cmd library.

Rootkit renders Windows XP (x86/x64), Windows 2003(x86/x64) into unbootable state after infection (infection method restriction).

Current versions

• rootkit 0.03
• C&C library version
  cmd.dll 0.31
  cmd64.dll 0.31

Version history:

0.01 firstly detected ITW in the end of July 2010
0.02 August 2010, version with x64 support
0.03 September 2010, small changes, new C&C library
In April 2011 Microsoft released KB2506014 targeting 0.03 version, exactly boot loader and kd dll - and it was able to successfully prevent TDL4 work. However rootkit support strike back after two weeks releasing their update bypassing MS patch. Rootkit version wasn't changed.

TDL4, Alureon: The First In The Wild 64-Bit Windows Rootkit from MS VB 2010 presentation
http://www.virusbtn.com/pdf/conference_ ... VB2010.pdf

TDSS. TDL4 by sww from Kaspersky Lab (only in Russian)
http://www.securelist.com/ru/analysis/2 ... DSS_TDL_4p

TDL4 Starts Using 0-Day Vulnerability! from Kaspersky Lab
http://www.securelist.com/en/blog/337/T ... nerability

The evolution of TDL: Conquering x64 from ESET
http://www.eset.com/us/resources/white- ... of_TDL.pdf


TDL3/4 detectors & removers available for download

• Microsoft Security Essentials http://www.microsoft.com/security_essen ... fault.aspx
• TDSSKiller from Kaspersky Lab http://support.kaspersky.com/downloads/ ... killer.zip
• TDSS Remover from eSage Lab http://www.esagelab.com/files/tdss_remover_latest.rar
• Hitman Pro http://files.surfright.nl/HitmanPro35beta.exe
• Hitman Pro x64 http://dl.surfright.nl/HitmanPro35beta_x64.exe
• Dr.Web CureIt! ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe
• Norman TDSS Cleaner http://download.norman.no/public/Norman ... leaner.exe
• TDL3 Razor by Tizer Secury http://www.tizersecure.com/about_TDL3_r ... remove.php
• Symantec FixTDSS http://www.symantec.com/content/en/us/g ... ixTDSS.exe
• ESET TDL cleaner http://download.eset.com/special/EOlmarikRemover.exe
• BitDefender TDL Remover
  32-bit http://www.malwarecity.com/community/in ... howfile=25
  64-bit http://www.malwarecity.com/community/in ... howfile=26

Please note that none of this tools does not gives guarantee of successful removal.

Thread posting rules

• 1. TDL samples must be archived and password-protected. Pasword can be "infected" or "malware".
  All other samples can be deleted by administration without notice.
  
  2. Please avoid of posting links to TDL fresh sites to keep them alive for harvesting.
  
  3. Please do not post identical samples and links to out-dated information about TDL4
  
  4. Please stay on topic (off-topic posts can be deleted without any notice).

Note: Unauthorized users can't download and see attachments.

Your contribution in reversing and harvesting this rootkit --> highly welcomed.
Thanks :)

[a_d_13]

And, as for sharing the samples:
As soon as a dropper is found, I plan on sharing this in public. I will probably not write an article, and I do not work in an antivirus or antimalware company. I want like to have all "pieces" before I release anything at all. The samples were not gathered all at once - I've been slowly gathering more "pieces" as time goes on.

Again, as soon as a dropper is found (by me or by someone else), I will share the samples gathered in public. Posts requesting samples before then will be deleted, as per EP_X0FF's post.

Thanks,
--AD

[Fabian Wosar]

I think I found a dropper:
http://virscan.org/report/05ce799c95783 ... 6ce84.html

Successfully infects x86 (tested using Windows XP) and x64 (tested using Windows 7) versions of Windows. I only did a short analysis to confirm that it is in fact TDL-3 and from that it appears that the rootkit itself hasn't changed much. The infection method though looks quite interesting. It is detected by HitMan (device driver stack check) but not by TDSSKiller. Neither of them is able to clean an infection.

Config:

Code: Select all

[main]
version=0.02
aid=30136
sid=0
rnd=1604221776
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=https://68b6b6b6.com/;https://61.61.20.132/;https://34jh7alm94.asia;https://61.61.20.135/;https://nyewrika.in/;https://rukkieanno.in/
wsrv=http://rudolfdisney.com/;http://crozybanner.com/;http://imagemonstar.com/;http://funimgpixson.com/;http://bunnylandisney.com/
psrv=http://cri71ki813ck.com/
version=0.11
bsh=fe194e009e4f45ca0fcfed13cae604570fda2f3c
delay=7200
csrv=http://lkckclckl1i1i.com/

Here are the strings from the injected 32bit DLL:

Code: Select all

Strings v2.41
Copyright (C) 1999-2009 Mark Russinovich
Sysinternals - www.sysinternals.com

!This program cannot be run in DOS mode.
Rich
UPX0
`UPX1
`UPX2
3.03
UPX!
jd3
jdY3
Shh
PSS
Phx
XSSS
1Nu
WtP
tFHtL
Whs
9C@t>V
FFj
SVW3
8_^[
@VW
Q$9u
C +C
C$+C
;C@
|Kh
u$h
CD9E
t<@
QQW
B9]
H9E
_^[
D$ P
t$ 
t$ Y3
t$j
C<h
uK9{,uF
WVS
VWS
_^]
SVW3
tP-
_^[]
_^[]
9;t
9~0
t j
_^u
QSVh
PVj
t2j
PVS
SVWj
PWhP
PWh
PWh,
PWh<
_^[
VWj
t89V
QVP
SVWj
jx[
WWWWWWWh
PSW
WWW
_^3
j P
SVWj
t8"V
SPVW
WhX
VWh<
t.j
 W3
SVW
tCh
t3h
_^[
Ph,
jjj
t$$
Vht
VWhx
SVWh
j,V
j.V
t~3
_^[
PFV
<,u
SVW
Ph 
_^[
VWj<^3
PWWS
Ph<
PVh<
!Vhx
VVVh<
SUVW
Phh
j;S
u,UhX
_^][
SVWj
h0u
SVh
j=P
Cj|S
@j|P
Gj|W
@_^[
SVW3
Ph,
D$ P
\$(
\$,
Ht`H
Ph,
D$pP
D$tP
D$tP
D$pP
D$pP
t}j@
D$0SP
D$4D
D$,PSSSSSS
D$X,
D$pP
D$pP
D$pP
t$ h
SWj
SSj
SSh
toSP
tPV@P
tAS
QSUV
Wh4
ShD
v!j
WVh
SVW
p(V
 S3
p(V
Pj 
_^t
pKV
Nhh
SUV+
WSh
NVP
D$,
_^][
j=h
p(V
(SV3
x(W
Pj(
F$3
@_[
p(V
$SV3
x(W
Pj$
p(V
p(V
p(V
p(V
0@;E
QQV
UWj
SEP
j/U
_][
^YY
VWj
SUVW
VPhh
D$(
VPh
D$(
VPh
D$(
VPhD
D$(
unP
_^][
uzh
unh
ubh
uVh
uJh
u>h$
u2h,
u&h4
9\$
_^3
WhL
jd3
QPhl
QQWh
_^[]
QQVj
VVV
 W3
 W3
QSVWj
VVj
VVh
tDVW
t.@P
VVVW
W@P
SSh
tqVj
SSW
j!j|P
j j;
SV3
PWS
j|V
Fj|V
NSh
_^3
j!j|V
j!j|W
j!j|S
SWP
Ph 
@@AA
_^[
j@h
SVW3
F;u
_^[
DSVWj
<@u
=<*u
_^[
El 
E4H
EDT
EL`
Edd
Ell
_^]
tmSV
tFW
t1VSW
SWh,
j.V
< r
SVW
PjYh
PjZh
tnh
ETP
ENP
ELP
t&W
VVVj
;D$
t$VPj
;D$
t$VPj
SV3
PWVj
FD;E
@;^
_^[
SVW3
SSj
SSj
SSSj
SSSj
>PE
f9F
f9F
FPj@h
+F4
f;V
t9H
u,h@
t:3
<09
B(j
_^[
t)V
j.U
j.P
t@W
f;K
Pj@
_[]
u>j
VWd
hkX
PhyP
PhFP
VVV
 W3
u$SV
u$SV
SUV
Wh<
t-j
t!j
_^][
SVW
@j|P
@j|P
tIh
_^[
SV+
_^[
SVWj
j P
WPVS
ShX
x(W
x(W
PNVW
SUV
t"US
_^]3
SVW
9^ u
t@W
V PQR
tHV
SVW
Vht
t-j
_^[
ugVWS
u[9E
VWS
VWS
GWh
WVh
WVh
t1h
t%h
u>9
tN@P
}(W
_^[]
u6VW
SVW
E$3
9E$
u.9E t)
E$_^[
SVW
h.a
SVW3
WWWj
T$,jx
t$dj*
t$tj*
t$0j*
_^[
SUV
_^][
u@Vj@
F(P
h~3
u@Vj@
F(P
h~3
u@Vj@
F(P
u@Vj@
F(P
p(V
p(V
VWj
_^u
SPht
QVj
^[]
QQV3
SVWh
SSSS
j<^V
PSS
SSj
SSSQSP
SSj
t#=
SSj
9] u
j@h
SSj
!9]
t5S
9] u
j@h
@PS
SSS
E ;
SSS
j\V
uhh4
E P
t>9E u9Vh
_^[
QQSUVW
VSh
VShx
VShp
VShh
VSh`
VShX
*u,
VWh
Ph@
\$(
_^][
SVW
urh
tb3
ulhP
u`h\
uThh
uHhp
u<h|
u0h
u$h
SSS
SSSh
_^[
Pj@j
t$$
_UU]
jdY
PP<f
FF$
<&Xt
<dXt
RP<
a+D$
*Fw
vj5
v?M
vdN
v "Ew`"EwV
vt+
uR~
ur~
u7#
u'9
u}$Fw
uy}
ugt
u5l
u{-
KPw
"Fw
/Jwu
=Pw+JPwuKPwx
Hw|
Hw*
/Fw
EwP
@PwB
Hw`
Dw{
lHw)
 Ow
#Ew +Gw
pCu
FInternet Explorer_Server
WebBrowser
buy
order
basket
waveOutOpen
winmm.dll
svchost
%s-%d
GetCursorPos
user32
ole32.dll
CoCreateInstance
software\microsoft\internet explorer\main\featurecontrol\FEATURE_BROWSER_EMULATION
maxhttpredirects
software\microsoft\windows\currentversion\internet settings
enablehttp1_1
currentlevel
software\microsoft\windows\currentversion\internet settings\zones\3
1601
1400
software\microsoft\internet explorer\international
acceptlanguage
%s\%s
://
http://%s/?xurl=%s&xref=%s
1.8
clk=%s&bid=%s&aid=%s&sid=%s&rd=%s
atl.dll
AtlAdvise
AtlUnadvise
AtlAxCreateControlEx
SysFreeString
oleaut32.dll
n%D,3
Global\3006345f-6baf-4669-a7e1-aaa310564be9
kdmf.tmp
%d|%d|%s|%s
%X%X
tasks
.dll
Mozilla/4.0 (compatible; MSIE 1.0; Windows NT; CMD3)
bsh
cmd
DownloadCrypted
DownloadCrypted2
DownloadAndExecute
DownloadCryptedAndExecute
DownloadCryptedAndExecute2
Download
ConfigWrite
SetName
%[^.].%[^(](%[^)])
0.11
command|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s
https://68b6b6b6.com/;https://61.61.20.132/;https://34jh7alm94.asia;https://61.61.20.135/;https://nyewrika.in/;https://rukkieanno.in/
srv
retry
noname
delay
knt
main
setup.exe
winsta0\default
version
http://lkckclckl1i1i.com/
csrv
HTTP/1.1 302 Found
Location: %s
Content-Length: 0
Connection: close
HTTP/1.1 200 OK
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Content-Type: text/html
Content-Length: %d
Connection: close
<html><head><script type="text/javascript">function f(){var url="%s";try{var x=document.getElementById("_a");x.href=url;x.click()}catch(e){try{var x=document.getElementById("_f");x.action=url;x.submit()}catch(e){}}}</script></head><body onload="f()"><a id="_a"></a><form id="_f" method="get"></form></body></html>
<html><body onload="javascript:history.back()"></body></html>
Software\Win%c%c
http://rudolfdisney.com/;http://crozybanner.com/;http://imagemonstar.com/;http://funimgpixson.com/;http://bunnylandisney.com/
wsrv
http://cri71ki813ck.com/
psrv
.jpg
.jpeg
.gif
.tiff
.bmp
.png
.wbmp
.pcx
.psd
.js
.swf
.flv
.css
.xml
.exe
.zip
.rar
.msi
action=sbp
action=123
%url%
%.*shttp://%s%s%s
Global\a68d7de8-eba6-4a54-90e0-9cb9d93b3ed7
Global\cc51461b-e32a-4883-8e97-e0706dc65415
keywords
Accept-Language: %s
%s http://%s/?xurl=%s&xref=%s
%s %s
1.6|%s|%s|%s|%s|%s|%s
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890
AaKkZzVv
01234
pPlLdDeExX
5678
34567
mMyYjJqQXx
CcOoSsUu
0123456789
0123
AcxghkZ
AaKhQqYy
123
eElLdCUExX
mFyYjJqQXx
GgOoSsUu
789
1234
AchIwWqQ
software\classes\http\shell\open\command
getlongpathname
firefox
<>:"/\|?*
%s-%s
GetNativeSystemInfo
kernel32
 x64
%1d.%1d %04d SP%1d.%1d%s
S:(ML;;NW;;;LW)
%s.dll
kernel32.dll
kernelbase
www.
.text
.rdata
ntdll
KiUserExceptionDispatcher
ZwProtectVirtualMemory
ZwWriteVirtualMemory
mswsock
ws2_32
wsock32
dnsapi
wininet
alexametrics.com
fimservecdn.com
myspacecdn.com
.tqn.com
searchvideo.com
flickr.com
.com.com
oneriot.com
picsearch.com
twimg.com
adcertising.com
openx.org
truveo.com
tacoda.net
doubleverify.com
atwola.com
meedea.com
wazizu.com
yieldmanager.com
worthathousandwords.com
firmserve.com
compete.com
lygo.com
superpages.com
edgesuite.net
infospace.com
ytimg.com
66.235.120.67
66.235.120.66
scorecardresearch.com
iwon.com
doubleclick.net
2mdn.net
yimg.com
powerset.net
ivwbox.
atdmt.com
virtualearth.net
gstatic.com
abmr.net
adbureau.net
tribalfusion.com
adrevolver.com
everesttech.net
othersonline.com
aolcdn.com
twitter.com
wikimedia.org
wikipedia.org
youtube.com
facebook.com
amazon.com
adobe.com
macromedia.com
blinkx.com
alexa.com
conduit.com
answers.com
myspace.com
about.com
mamma.com
.search.com
.lycos.
alltheweb.com
webcrawler.com
metacrawler.com
dogpile.com
excite.com
exalead.com
ask.com
altavista.com
msn.com
live.com
yahoo
google
Global\452fefe0-a06e-400f-8d6b-6a12a0a09d4b
?%s=
www.google.
/search
/custom
bing.
search.yahoo.com
.altavista.com
/web/results
.ask.com
/web
www.exalead.com
/search/web/results
www.alltheweb.com
search.lycos.
tab=web
query
gigablast.com
cuil.com
.aol.
/aol/search
entireweb.com
md=web
www.search.com
www.mamma.com
/result
mytalkingbuddy.com
searchservice.myspace.com
type=web
qry
search.conduit.com
/results
search.toolbars.alexa.com
alltheinternet.com
/ws/results/web/
%u|%u
3.93
ver=%s&bid=%s&aid=%s&sid=%s&rd=%s&eng=%s&q=%s
msie 7.0
http://%s%s
?xurl=
&xref=
get 
 http/1.
host: 
accept-language: 
referer: 
user-agent: 
msie 8.0
mozilla
upnp
X-Moz: prefetch
windowsupdate
Content-Type: text/html
Transfer-Encoding: chunked
Content-Length: 
HTTP/1.1 200 OK
WSAStartup
WSASocketA
WSPStartup
10000
ObtainUserAgentString
urlmon.dll
%s\%s.tmp
aid
sid
0.0
installdate
builddate
rnd
svchost.exe
netsvcs
Global\9e6af8f3-75f3-4b67-877a-c80125d7bc08
*explo*
*firefox*
*chrome*
*opera*
*safari*
*netsc*
*avant*
*browser*
*mozill*
*wuauclt*
cfg.ini
\\?\globalroot\device\00000393\290e1954\kdmf.tmp
\\?\globalroot\device\00000393\290e1954\keywords
en-us
iexplore
am Files (x86)\Internet Explorer\iexplore
exe" -nohome
 Explorer\iexplore.exe" -nohome
6.1 7600 SP0.0 x64
C:\Program Files (x86)\Internet Explorer\iexplore.exe
http://cri71ki813ck.com/
http://rudolfdisney.com/
http://crozybanner.com/
http://imagemonstar.com/
http://funimgpixson.com/
http://bunnylandisney.com/
1604221776
0.02
30136
fe194e009e4f45ca0fcfed13cae604570fda2f3c
\\?\globalroot\device\00000393\290e1954
cmd.dll
\\?\globalroot\device\00000393\290e1954\cfg.ini
0I6
xI6
@Q6
ReleaseMutex
GetCommandLineA
CopyFileA
GetFileAttributesA
SetEvent
InitializeCriticalSection
GetModuleFileNameA
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
GetCurrentProcessId
SuspendThread
ResumeThread
OpenThread
LocalFree
GetSystemInfo
GetModuleHandleA
GetVersionExA
GetLocaleInfoA
VirtualProtect
WinExec
WriteFile
SetEndOfFile
SetFilePointer
CreateWaitableTimerA
SetWaitableTimer
CreateThread
GetComputerNameA
GetTickCount
LeaveCriticalSection
EnterCriticalSection
ReadFile
GetFileSize
CreateFileA
RemoveDirectoryA
DeleteFileA
CloseHandle
CreateProcessA
CreateDirectoryA
GetTempPathA
GetPrivateProfileSectionA
GetPrivateProfileIntA
GetPrivateProfileStringA
WritePrivateProfileStringA
GetSystemTimeAsFileTime
WaitForSingleObject
GetLastError
CreateMutexA
GetCurrentThreadId
WriteProcessMemory
LoadLibraryA
GetProcAddress
SetThreadPriority
Sleep
HeapCreate
HeapAlloc
HeapFree
VirtualAlloc
VirtualFree
MultiByteToWideChar
QueueUserWorkItem
SetSecurityInfo
GetSecurityDescriptorSacl
ConvertStringSecurityDescriptorToSecurityDescriptorW
MapFileAndCheckSumA
sscanf
_snwprintf
strncpy
_stricmp
strchr
_snprintf
sprintf
swprintf
atol
RtlInsertElementGenericTable
RtlDeleteElementGenericTable
RtlLookupElementGenericTable
RtlRandom
RtlImageNtHeader
RtlImageDirectoryEntryToData
ZwQuerySystemInformation
strstr
_strlwr
RtlTimeToSecondsSince1970
ZwAllocateVirtualMemory
_strnicmp
strrchr
ZwContinue
strncmp
RtlInitializeGenericTable
RtlEnumerateGenericTable
_wcsicmp
ZwFreeVirtualMemory
memset
memcpy
_allmul
CoInitializeEx
CoUninitialize
PathRemoveBackslashA
SHSetValueA
PathMatchSpecA
StrStrIA
StrStrA
PathRemoveFileSpecA
PathAppendA
StrStrIW
PathFindFileNameA
PathFindExtensionA
PathFileExistsA
SHGetValueA
SHEnumKeyExA
GetClassNameA
FindWindowA
KillTimer
SetTimer
PostMessageA
ClientToScreen
GetClientRect
SetWindowLongA
GetWindowLongA
PostQuitMessage
DestroyWindow
GetWindow
DefWindowProcW
FindWindowW
CreateWindowExW
GetMessageW
TranslateMessage
DispatchMessageW
RegisterClassExW
GetSystemMetrics
FindFirstUrlCacheEntryW
UnlockUrlCacheEntryFileW
DeleteUrlCacheEntryW
FindNextUrlCacheEntryW
FindCloseUrlCache
InternetCrackUrlA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetQueryOptionW
InternetSetOptionW
HttpQueryInfoW
InternetReadFile
InternetCloseHandle
InternetOpenA
%5'!
[6W
@$"
R#E
*!2
-:5qW
]"SGSZ
N!7
@J;
.text
`.rdata
@.data
.reloc
7+[
B{lfdi
zyyn
imfmo 
gpixs
i/wni71n
"#{
.jpB
eggif
tfb
'pnw
sd?s;sw
flv
cssxml
Szir
ymsi>sbp
123WP%w%.*s
a68d7de8-e6a54-90e0
cb9d93b3e
+cc51461
b32a883-8
nop07
dc6;15
m,Rw$d
ABCDE
FGHIJKLMNOeST
XYZ#c g
Z`j
m[pqr
wxyz0
6789+
CB0
?CaKkZzV
PlLdDeExX+
mMyYjJqQX
CcOoSsUu`
aghQqYy
]cCU+
WFGgPB
KhIwW#
x\\+,1
oh<>:"/\|?*'f<lxx
%1d
NS;
M(F)
u,z
\}KiU
j,D
ZwPit_V
R#?2_
$Z[]
Zk[
P;OX
=<s
fmr
6pic
>fv`m
fyoaTola
wazizuyi
p$UXRsmMx
lygo
%pQs3C
i|M
KK-
6[hm
mB?i
q2m
B.7
$vTj
c!58
^of
3/w
s$',<
okS
x''
\sk
.8[s.l
Fb#
awl'
f]?lg
cvya
2fWt
6eW00fd%Zk
-6a
=C&
CLm
3vHFl.v
/![7;l
K#c&
Ob=Rquep
@6g
VhC
q{.
_vN
lkf
d Fdd
7n`8
uiU]
{s>Kr
3.9L$
e 7.
F,V
8Nh
:#a
GZr
nok
pKX-
&p?mF8
z-Enjm
 EuD@
SAS631+
P1.
g7A
FCQ}
#vcd
9eZ
f8fe75
$-877a-c85
0b*
hc[
b.w8
A6*
sE4
tluM
4M$
|l\
H8, 
`P@4(
i.M
itdXL@qi
T '
ReleaseMutex#D
pyFi
.]g
SEv
InitializeCrcc
S%8M
odu:>q
8UndpViewOf
K#c
sId
uow
usp
dTh0d
su`
0wX
-#"
"pol=e/
Wi'
Wa.
ZTi
puBF
)ck
L%v~sS
`89GS
A#moPDE9
n/a;
PpP
6,iv3f
Mx8
>$!
QAs
on[
4aF
ObjB
-LaErE}!aDJ
1}y
ha=braEp
Addr#
o=0S
All7f
l<By
nlt*o
Que
2WhkI
"TP
acMh
0'f
_sk
nwp`t
sincw
sc3
Rtl
LookupR
6T0+
wrg
Mj+
W ds#
_1970E
<n4
*+,
M.Rue
sm)[
uw^
_wcs\S
p|m
set
vB:~
{ksl
,SH
A"M
0Sp
MAE
xp,4W
iKs
9Key/
4@2
 \M'F0l
F`im
lVc
80l
LtiP
oy$/
W8Ss
l f
f!4V
GW3
$wH
HNe
aaA
%5'!
[6W
E*%Y
[s5
h.!
'9#
@$"
v;*
E)a<
o($)
`$S
R#E6n
[k4u
<[L
v'P*
MZ=
-:5qW>
]"SGSZ
b`0
76n
@i=r
N!7
@J;
{0l
vUt
@7r,Y
('p
^w!@
tgkG
OeB
u A
GIu
t"<
PTj
XPTPSW
KERNEL32.DLL
ADVAPI32.dll
imagehlp.dll
ntdll.dll
ole32.dll
SHLWAPI.dll
USER32.dll
WININET.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
SetSecurityInfo
MapFileAndCheckSumA
atol
CoInitializeEx
StrStrA
SetTimer
InternetOpenA

Here are the strings from the injected 64bit DLL:

Code: Select all

Strings v2.41
Copyright (C) 1999-2009 Mark Russinovich
Sysinternals - www.sysinternals.com

MZ@
!Win64 .DLL.
.MPRESS1
`.MPRESS2*
v2.17
=/t
u/H
L$(H
D$ 
t$@H
t$ WH
|$H
D$HL
t$LH
D$ 
l$PH
t$XH
\$@H
@SH
D$0
D$0H
 [H
VWATAUAV
uOD85tN
t$ 
D$HI;
L$`3
L$`H
D$xH
|$`H
t$8D
t$0H
D$(
t$ 
D$PI;
t$8
9\$t
D$0L
t$(L
t$ 
D$D
t$ 
t#=
$@(
D$DH
$@(
L$D
D$DD
t$ 
$p(
$h(
$`(
$x(
L$@L
$@(
$@(
D$@
t$ 
$@(
$@(
L$@L
$@(
D$@
t$ 
$@(
u+M;
$I;
t$0H
t$(
D$ 
$@(
tBH!l$ L
$@(
t L
$@(
$x(
D$@
D$@H!l$ L
$@(
$x(
tfH
$x(
$x(
$@(
$@(
H!l$ L
L$@H
$@(
u}I
utL
D$@H
$@(
$@(
tJ9D$@uDL
l$ 
t$HH
L$P
[0I
k8I
A^A]A\_^
UVWATAUAVAWH
L$p3
\$0
\$(
t$ 
u^L
L$pL
\$0D
L$pE3
\$(
t$ 
D$pH
\$(
\$ 
D$@H;
\$ 
D$`H;
fA9
Ic~<H
?PE
f9G
f9G
L$XH
D$(@
D$XD
l$ 
D>,I
D$PD+g0
\>$H
f;_
s<H
t> 
^,H
HcA<H
tcD
t@D
fA;
Lca<L
d$h
L;l$PuDI
u'H
t]H
|$HA
L$HI
D$HI9
d$hL
t$`H9L$Pu@A
D$(L
t$@H
A_A^A]A\_^]
uvH
L$ L
L$0
L$0
tpH
L$03
tZH
t:H
=*I
s I
L$0
\$ 
T$0H
D$HH
t$@H
d$8
d$0
d$(
d$ 
l$hH
t$p
\$`H
L$0H
t$(H
D$ 
L$0
D$0H
uQD
L$0H
l$(H
t$ 
L$0
D$0H
s I
uXH
L$0H
t$(H
D$ 
L$0
D$0H
L$(A
L$0E
D$ 
L$0
L$0E
\$(H
D$ 
L$0
L$(A
T$ H
L$0E
L$0
\$0H
l$8H
t$@H
UATAUAVAW
l$ H
$E3
l$ A
D83M
A_A^A]A\]
<Lu
t<A
<,u
t!<
L$03
D$0H
\$ 
L$0
VWATAUAW
~hH
L$p3
L$pE3
|$p
@85:[
@851\
D$hH
D$`H
D$XH
D$PH
D$HH
D$@H
D$8H
D$0H
\$(H
|$ 
D$HH
t$@H
D$8H
D$0H
t$(H
t$ 
teH
t$HH
D$@H
t$8H
t$0E3
t$(H
t$ 
[0I
k8I
A_A]A\_^
x AT
L$0L
d$(H
t$03
D$ 
u9H
s I
{(I
x ATAUAV
L$ D
L$ 
D$ H
L$ 
$` 
$h 
$  
[ I
k(I
s0I
{8I
A^A]A\
|$ AV
$@5
$85
$@5
$85
D$(H
D$ 
$85
L$x
D$ph
D$PH
D$HH
D$pH
D$@H
d$8
d$0
d$(
d$ 
L$X
L$P
$@5
$85
D$(H
$ %
D$ 
$ %
UVWAUAVH
l$(
l$ 
l$(
l$ 
l$(
l$ 
l$(
l$ 
5pP
l$(
l$ 
=:O
l$(
l$ 
l$(
l$ 
*uBH
L$PH
D=@
L$P
|$P
T$@
D$8
L$0
D$(
D$ 
D$ 
5eH
D$(L
t$ 
firefox
U/H
? r
A^A]_^]
t$ WH
t]H
L$8
T$0H
L$8
D$0H
=ES
tv3
L$I
D$H
d$@
D$HH
D$8
L$03
D$0
D$J
5,R
\$ 
d$(
d$ 
\$pI
s I
p WATAUH
lE;
v5M
[ I
k0I
s8I
A]A\_
L$ H
\$pH
UVWATAUAVAWH
D$ H
8@u
8*L
v*L
;;r
d$ 
|$pH
\$xH
0A_A^A]A\_^]
D$h
T$ D
D$(D
D$8H
T$@D
D$HD
D$XH
T$`D
D$xH
D$0H
D$PH
D$pH
T$ A
@SH
L$@D
\$LH
D$JL
\$8H
D$0H
D$HH
D$(H
D$@L
L$BL
D$FH
D$ 
T$pH
L$@D
\$pD
\$t
d$h
T$hH
L$p
D$hH
SVWH
@ H
x H
tbH
L$xL
D$@H
t>H
D$@H
D$0D
|$(H
|$ 
P_^[
8Muzj
x<H
KERNEL32
VirtualProtect
ZPY
t+PTAYj
AXjxZWYH
G(AXPTAYjxZWY
tKH
< v
(AXZY[^_
!(w
@2l
V&w
%s\%s
noname
bsh
cmd
10000
%s\%s.tmp
ObtainUserAgentString
urlmon.dll
Mozilla/4.0 (compatible; MSIE 1.0; Windows NT; CMD3)
.dll
%s.dll
kernel32.dll
kernelbase
%d|%d|%s|%s
%X%X
tasks
DownloadCrypted
DownloadCrypted2
DownloadAndExecute
DownloadCryptedAndExecute
DownloadCryptedAndExecute2
Download
ConfigWrite
SetName
%[^.].%[^(](%[^)])
0.11
command|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s
https://68b6b6b6.com/;https://61.61.20.132/;https://34jh7alm94.asia;https://61.61.20.135/;https://nyewrika.in/;https://rukkieanno.in/
srv
retry
delay
knt
main
setup.exe
winsta0\default
aid
sid
1.0
version
installdate
builddate
rnd
svchost.exe
netsvcs
Global\9e6af8f3-75f3-4b67-877a-c80125d7bc08
cfg.ini
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890
5678
34567
AaKhQqYy
123
eElLdCUExX
mFyYjJqQXx
GgOoSsUu
789
1234
AchIwWqQ
software\classes\http\shell\open\command
getlongpathname
.exe
<>:"/\|?*
%s-%s
GetNativeSystemInfo
kernel32
 x64
%1d.%1d %04d SP%1d.%1d%s
%hu.%hu.%hu %hu:%hu:%hu
S:(ML;;NW;;;LW)
Et-
>d,
'4+
C:\Program Files\Internet Explorer\iexplore.exe
en-us
iexplore
am Files (x86)\Internet Explorer\iexplore
exe" -nohome
 Explorer\iexplore.exe" -nohome
6.1 7600 SP0.0 x64
1604221776
0.02
30136
fe194e009e4f45ca0fcfed13cae604570fda2f3c
\\?\globalroot\device\00000393\290e1954
cmd64.dll
\\?\globalroot\device\00000393\290e1954\cfg.ini
GetModuleHandleA
GetProcAddress
KERNEL32
ntdll.dll
atol
WININET.dll
InternetOpenA
SHLWAPI.dll
StrStrIA
imagehlp.dll
MapFileAndCheckSumA
ADVAPI32.dll
SetSecurityInfo
APH
t=H
SUVWATAUAV
tDI
t!I
A^A]A\_^][

[EDIT: Since VirusTotal is broken currently I replaced the link with a VirScan.org report]
[EDIT: Added dumped strings]
[EDIT: Added config content as well as dropped files]

[CloneRanger]

@ Fabian Wosar

Hi, thanks for the file :)

Your VT link doesn't work, for me anyway ?

http://virscan.org/report/627c3627d443c ... 2d242.html

[Fabian Wosar]

Your VT link doesn't work, for me anyway ?

Yeah, VT seems to have some issues. I updated the link to point to a VirScan.org report instead.

[EP_X0FF]

Looks similar :) Thanks for sharing.

[EP_X0FF]

The same AddPrintProvidorW for x86 :)

[freyr]

microsoft av - the best :) only ms detect this sample by name: Trojan:Win32/Alureon.DX

http://www.virustotal.com/file-scan/rep ... 1282818037

[EP_X0FF]

microsoft av - the best :) only ms detect this sample by name: Trojan:Win32/Alureon.DX

http://www.virustotal.com/file-scan/rep ... 1282818037

;)

Here is the stuff from this rootkit

[main]
version=0.02
aid=30136
sid=0
builddate=4096
rnd=854245398
knt=1282818304
[inject]
*=cmd.dll
[cmd]
srv=hxxps://68b6b6b6.com/;hxxps://61.61.20.132/;hxxps://34jh7alm94.asia;hxxps://61.61.20.135/;hxxps://nyewrika.in/;hxxps://rukkieanno.in/
wsrv=hxxp://rudolfdisney.com/;hxxp://crozybanner.com/;hxxp://imagemonstar.com/;hxxp://funimgpixson.com/;hxxp://bunnylandisney.com/
psrv=hxxp://cri71ki813ck.com/
version=0.11
bsh=6a4553e7b910379f59d5e114c9c4a2d6b1d8dac9
delay=7200
csrv=hxxp://lkckclckl1i1i.com/

[EP_X0FF]

here we go, all other stuff extracted just few seconds before.

enjoy reversing =)

edit:

upx free cmd.dll if you are lazy

FInternet Explorer_Server W e b B r o w s e r A b u y o r d e r b a s k e t waveOutOpen winmm.dll 3А@В s v c h o s t % s - % d GetCursorPos user32 ole32.dll CoCreateInstance software\microsoft\internet explorer\main\featurecontrol\FEATURE_BROWSER_EMULATION maxhttpredirects software\microsoft\windows\currentversion\internet settings enablehttp1_1 currentlevel software\microsoft\windows\currentversion\internet settings\zones\3 1601 1400 software\microsoft\internet explorer\international acceptlanguage %s\%s / :// http://%s/?xurl=%s&xref=%s 1.8 clk=%s&bid=%s&aid=%s&sid=%s&rd=%s atl.dll AtlAdvise AtlUnadvise AtlAxCreateControlEx SysFreeString oleaut32.dll a І Д м ш aУЇНРЉ> АOЙвn%D,3Л&Рґѓ АOЩясP0µ˜П»‚ Є ЅОGlobal\3006345f-6baf-4669-a7e1-aaa310564be9 kdmf.tmp %d|%d|%s|%s %X%X tasks .dll Mozilla/4.0 (compatible; MSIE 1.0; Windows NT; CMD3) bsh cmd DownloadCrypted DownloadCrypted2 DownloadAndExecute DownloadCryptedAndExecute DownloadCryptedAndExecute2 Download ConfigWrite SetName % S %x %f %d %[^.].%[^(](%[^)]) 0.11 command|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s https://68b6b6b6.com/;https://61.61.20.132/;https://34jh7alm94.asia;https://61.61.20.135/;https://nyewrika.in/;https://rukkieanno.in/ srv retry noname delay %u knt main 0 setup.exe winsta0\default version http://lkckclckl1i1i.com/ csrv HTTP/1.1 302 Found
Location: %s
Content-Length: 0
Connection: close
HTTP/1.1 200 OK
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Content-Type: text/html
Content-Length: %d
Connection: close
%s <html><head><script type="text/javascript">function f(){var url="%s";try{var x=document.getElementById("_a");x.href=url;x.click()}catch(e){try{var x=document.getElementById("_f");x.action=url;x.submit()}catch(e){}}}</script></head><body onload="f()"><a id="_a"></a><form id="_f" method="get"></form></body></html> <html><body onload="javascript:history.back()"></body></html> ^2 4: y2 P: ”2 l: Ї2 €: Software\Win%c%c // ; http://rudolfdisney.com/;http://crozybanner.com/;http://imagemonstar.com/;http://funimgpixson.com/;http://bunnylandisney.com/ wsrv http://cri71ki813ck.com/ psrv
.jpg .jpeg .gif .tiff .bmp .png .wbmp .pcx .psd .js .swf .flv .css .xml .exe .zip .rar .msi action=sbp action=123 %url% %.*shttp://%s%s%s Global\a68d7de8-eba6-4a54-90e0-9cb9d93b3ed7 Global\cc51461b-e32a-4883-8e97-e0706dc65415 keywords Accept-Language: %s %s http://%s/?xurl=%s&xref=%s %s %s 1.6|%s|%s|%s|%s|%s|%s ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890 * AaKkZzVv 01234 pPlLdDeExX 5678 34567 mMyYjJqQXx CcOoSsUu 0123456789 @ 0123 AcxghkZ AaKhQqYy 123 eElLdCUExX 01 mFyYjJqQXx GgOoSsUu 789 1234 AchIwWqQ software\classes\http\shell\open\command getlongpathname firefox <>:"/\|?* xx %s-%s GetNativeSystemInfo kernel32 x64 %1d.%1d %04d SP%1d.%1d%s S : ( M L ; ; N W ; ; ; L W ) %s.dll kernel32.dll kernelbase www. .text .rdata ntdll KiUserExceptionDispatcher ZwProtectVirtualMemory ZwWriteVirtualMemory mswsock ws2_32 wsock32 dnsapi wininet alexametrics.com fimservecdn.com myspacecdn.com .tqn.com searchvideo.com flickr.com .com.com oneriot.com picsearch.com twimg.com adcertising.com openx.org truveo.com tacoda.net doubleverify.com atwola.com meedea.com wazizu.com yieldmanager.com worthathousandwords.com firmserve.com compete.com lygo.com superpages.com edgesuite.net infospace.com ytimg.com 66.235.120.67 66.235.120.66 scorecardresearch.com iwon.com doubleclick.net 2mdn.net yimg.com powerset.net ivwbox. atdmt.com virtualearth.net gstatic.com abmr.net adbureau.net tribalfusion.com adrevolver.com everesttech.net othersonline.com aolcdn.com twitter.com wikimedia.org wikipedia.org youtube.com facebook.com amazon.com adobe.com macromedia.com blinkx.com alexa.com conduit.com answers.com myspace.com about.com mamma.com .search.com .lycos. alltheweb.com webcrawler.com metacrawler.com dogpile.com excite.com exalead.com ask.com altavista.com msn.com live.com yahoo google Global\452fefe0-a06e-400f-8d6b-6a12a0a09d4b ?%s= & www.google. /search /custom q bing. search.yahoo.com p .altavista.com /web/results .ask.com /web www.exalead.com /search/web/results www.alltheweb.com search.lycos. tab=web query gigablast.com cuil.com .aol. /aol/search entireweb.com md=web www.search.com www.mamma.com /result mytalkingbuddy.com searchservice.myspace.com type=web qry search.conduit.com /results search.toolbars.alexa.com alltheinternet.com /ws/results/web/ %u|%u 3.93 ver=%s&bid=%s&aid=%s&sid=%s&rd=%s&eng=%s&q=%s msie 7.0 http://%s%s ?xurl= &xref= get http/1.
host:
accept-language:
referer:
user-agent: msie 8.0 mozilla upnp
X-Moz: prefetch
windowsupdate
Content-Type: text/html
Transfer-Encoding: chunked

Content-Length: HTTP/1.1 200 OK
WSAStartup WSASocketA WSPStartup 10000 ObtainUserAgentString urlmon.dll %s\%s.tmp aid sid 0.0 installdate builddate rnd svchost.exe netsvcs Global\9e6af8f3-75f3-4b67-877a-c80125d7bc08 *explo* *firefox* *chrome* *opera* *safari* *netsc* *avant* *browser* *mozill* *wuauclt* cfg.ini