[SecConnex]

A lot of times (or which I have seen), GMER likes to show subtle hints, when it cannot fully detect the rootkit.

Such as modification of atapi.sys:

Device | -> \Driver\atapi \Device\Harddisk0\DR0 | Value: XXXXXXXX

or

Revealing of invalid driver:

Address 1 & Address 2: is not a driver object

or

Odd SSDT

NtDUMPxxxxxxxx


(xxxxxxxx or XXXXXXXX stands for random address value)


The question is, why would a driver dump data randomly?

[EP_X0FF]

GMER bugs? :)

Such as modification of atapi.sys:
Device | -> \Driver\atapi \Device\Harddisk0\DR0 | Value: XXXXXXXX

This is how GMER lists unknown IRP handler for stack device which belongs to TDL3.

Here my example that doing the same but with WinDBG.
http://forum.sysinternals.com/help-ie8- ... ack#113867

[EP_X0FF]

This is how now looks config.ini (renamed to cfg.ini)
Actual servers values removed.

[main]
version=0.01
aid=xxx
sid=0
rnd=x
knt=x
[inject]
*=cmd.dll
[cmd]
srv=https://
wsrv=http://
psrv=http://xxx/
version=0.1
bsh=xxx
delay=7200
csrv=http://xxxx/

Highly appreciated any help with getting workable dropper of this TDL variant.

[PX5]

Possible candidates, may not be the newer version tho.

[EP_X0FF]

Thank you for samples,

1281520512_exe.PE is classical TDL3

config.ini

[main]
version=3.273
quote=I felt like putting a bullet between the eyes of every panda that wouldn't screw to save it's species. I wanted to open the dump valves on oil tankers and smother all those french beaches I'd never see. I wanted to breathe smoke
botid=xxxx
affid=20034
subid=0
installdate=20.8.2010 10:36:45
builddate=11.8.2010 9:55:11
rnd=1960408961
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://nichtadden.in/;hxxps://91.212.226.67/;hxxps://li1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/;hxxps://lj1i16b0.com/
wspservers=hxxp://zl00zxcv1.com/;hxxp://zloozxcv1.com/;hxxp://71ha6dl01.com/;hxxp://axjau710h.com/;hxxp://rf9akjgh716zzl.com/;hxxp://dsg1tsga64aa17.com/;hxxp://l1i1e3e3oo8as0.com/;hxxp://7gafd33ja90a.com/;hxxp://n1mo661s6cx0.com/
popupservers=hxxp://clkh71yhks66.com/
version=3.941

reviewing next one, will update at few minutes

E_tmp.PE the same sample.
F_tmp.PE the same sample patched by tdl loader to be dll (for injecting to spooler).
last one also not matching new tdl.

Regarding amount of new stuff introduced by this new TDL, it's dropper size should be around 100-200 kb.

[Meriadoc]

Ah changes :) . Config has changed with no server info.

[EP_X0FF]

Config has changed with no server info.

Well actually I removed them manually :)
While we all not sure, what we have, it is evolving very quickly.

here is new (thanks to a_d_13), aid, server info removed

[main]
version=0.02
aid=x
sid=0
builddate=x
rnd=854245398
knt=1282302355
[inject]
*=cmd.dll
[cmd]
srv=https://xxx.com/;https://xxx/;https://x ... ps://xxxx/
wsrv=http://xxx.com/;http://xxxx/;http://xxx ... ttp://xxx/
psrv=http://xxxx.com/
version=0.11
bsh=xxxx
delay=7200
csrv=http://xxxxxxxx.com/

Indeed contains fully working x64 loader driver.
Tdl dropper wanted :)

[rossetoecioccolato]

No quote?

[a_d_13]

No quote?

No quote in the config file for this version of TDL :(

Thanks,
--AD

[LeastPrivilege]

Indeed contains fully working x64 loader driver.

PatchGuard circumvented?