Here's another blog entry from Prevx.
x64 TDL3 rootkit - follow up
x64 TDL3 rootkit - follow up
Quick question for EP_X0FF and A_D_13
Do either of your RKScanners work on X64?
A forum for reverse engineering, OS internals and malware analysis
Arrogance led me to my Ignorance
MBRCheck will work and detect it AFAIK. Likely remove it also.
x64 detection/analysis/removal tool is currently in development. Well actually it will be cross-platform. However it will be private so no point to discuss it here.
x64 detection/analysis/removal tool is currently in development. Well actually it will be cross-platform. However it will be private so no point to discuss it here.
Ring0 - the source of inspiration
EP_X0FF wrote:MBRCheck will work and detect it AFAIK. Likely remove it also.I'm sure a_d_13 will have more to add to this than I.... :roll:
x64 detection/analysis/removal tool is currently in development. Well actually it will be cross-platform. However it will be private so no point to discuss it here.
In the little bit of testing I've done with Win7 and Vista x64, MBRCheck will not properly detect or remove at this time.
Win7: MBRCheck reports MBR Code Faked!. Attempting to replace did not work.
Vista: Reported Win2008 mbr... :?: But okay.
Confirmed. MBR.exe, ANTIBOOT.exe, Bootkit Remover, & MBRCheck.exe do not remove it (x86 or x64). MBRCheck is good at detecting it though when others don't.
Guys I tell you what perfectly and safely removes it :) fixmbr.
Ring0 - the source of inspiration
EP_X0FF wrote:Guys I tell you what perfectly and safely removes it :) fixmbr.Ya that definitely gets it. Only consideration is wiping out access to recovery partitions on OEM machines.
Fabian Wosar wrote:Sorry Fabian. I believe that, i have done something wrong before.. Checked it now, works Good.4everyone wrote:Worked for me with Older Versions of TDL3.. Tried with the new mbr thingie, didn't work for me..Are you sure the rootkit is running? I used it for pretty much every single sample I posted on Windows 7 x64 and tried some older samples of TDL-3 on Windows XP as well. But it is still just a dirty hack. So failure is kind of expected.
Can you send me the sample you tried it with and what system you tried it on? Maybe I can adjust it.
Thanks
4-every-1
This should be a lesson for people who own retail OEM machines that use recovery partitions to backup their MBR and put it away for safe keeping.
LeastPrivilege wrote:This should be a lesson for people who own retail OEM machines that use recovery partitions to backup their MBR and put it away for safe keeping.Tis a good point. Though most "average" PC users would never know to do this. Nor would they know how it's done even if someone told them. Do any of the OEM's such as Dell, HP, etc... provide a tool for doing this? Something that is a simple point and click tool?