KernelMode.info

Hi all I'm doing some research into botnet infections and decided TDL4 looked a great infection to analysis. I'm currently trying to analysis the infection in a VM, TDSS killer detects that there is a rootkit infection. My problem is that there seems to be no network connectivity what so ever when previous infections I’ve noticed connection attempts.

My question is can you actually analysis this infection in a VM, I’ve read that there are large attempts to prevent it running within a VM. Otherwise does anyone have any ideas why no connection attempts have been made surely not a dead sample?

The sample I used was http://www.kernelmode.info/forum/downlo ... hp?id=2607

Hi all!

I'm trying to collect network traces from the version of TDL4 that uses the Kad network to communicate. I have installed a lot of different samples that virustotal detect as TDL4, TDSS, alureon, Olmarik or whatever but all of them communicate through HTTP or HTTPS (centralized C&C). I've read this white paper http://www.eset.com/us/resources/white- ... of_TDL.pdf a really good analysis I think but I'm still looking for these network traces. thanks

Finally, I'm here thanks to Aleksandr Matrosov and I've read http://www.kernelmode.info/forum/viewto ... &start=490 downloading and trying a lot of samples but none communicate through P2P. For example I tried this http://www.kernelmode.info/forum/viewto ... =490#p7161 that has the kad.dll module inside but no P2P communications appeared.

Now, my options are:
1) should I do something special in order to get installed the kad.dll module which is in charge of P2P communications?
2) I have only to install a specific binary sample of TDL4.

If the right option is 1) I'm very new in this field and I don't know how to load this module in the malware (although I think this is the wrong answer)
In case that 2) is the right, could someone help me finding this particular sample?

Thank you very much to all the readers! (specially to those that answer me :D )

Hi limiter!

I'm not very sure but up to my knowledge you can run tdl4 in VM. It's true that there exists ways to detect if the malware is running in a virtual environment or not, in fact tdl3 used it. But I've installed several samples of TDL4 in qemu and all of them work properly.

I don't know why you are not connecting to anyone. Maybe you should wait sometime in order to the botnet find active C&C servers. Did you see at lest any HTTP, DNS queries?

I hope help you.
Cheers!

Offtopic removed, thread closed.

Topic starter may request topic reopening if needed.