erikloman wrote:Hi all. I am looking for a specific TDL4 (or variant) dropper that uses ACPI.sys (XP 32-bit) to conceal its DEVICE_OBJECT hijacking. Thanks!As i remember device for hijacking (and driver accordingly) depends from your system configuration (driver stack), not from tdl version...
A forum for reverse engineering, OS internals and malware analysis
This is well known Pihar clone of TDL4.
Kaspersky Lab
file in attach
Attachments
pw: infected
(116.9 KiB) Downloaded 244 times
(116.9 KiB) Downloaded 244 times
New variant Alureon.K is spreading.
Blocks tools like aswMBR, TDSSKiller, GMER, etc.
Hooks at miniport level to hide sectors.
Has a watchdog that restores IRP_MJ_SCSI, StartIo pointers if changed; ala TDL3/4.
Loads from extra partition.
Protects both MBR and 'VBR' sector (to hide the extra partition).
Additional partition presumably is a VBR but its not (has NTFS marker, but has partition table as well).
This is what I could gather from infected system past hour.
Anyone has more info on this?
Blocks tools like aswMBR, TDSSKiller, GMER, etc.
Hooks at miniport level to hide sectors.
Has a watchdog that restores IRP_MJ_SCSI, StartIo pointers if changed; ala TDL3/4.
Loads from extra partition.
Protects both MBR and 'VBR' sector (to hide the extra partition).
Additional partition presumably is a VBR but its not (has NTFS marker, but has partition table as well).
This is what I could gather from infected system past hour.
Anyone has more info on this?
Erik Loman [HitmanPro]
SurfRight B.V. - www.surfright.com
SurfRight B.V. - www.surfright.com
what is the diff with maxss? from what i read this is maxss known since last november.
kmd wrote:what is the diff with maxss? from what i read this is maxss known since last november.Doh you are right
I compared the VBR I got from the infected machine with the one in this post and they are the same.
Your reply was very helpful. Thanks!
Erik Loman [HitmanPro]
SurfRight B.V. - www.surfright.com
SurfRight B.V. - www.surfright.com
erikloman wrote:R.I.P. tdl4 againkmd wrote:what is the diff with maxss? from what i read this is maxss known since last november.Doh you are right
I compared the VBR I got from the infected machine with the one in this post and they are the same.
Your reply was very helpful. Thanks!
First post Glad to be here.
Don't know if This is still going but I am 95% sure got a alureon file "temp.exe". I passed it threw hexrays 1.7 saved as a c file
Let me know what you find as far as the tmp.exe. This came from a persistent xss on a very large corp site i am doing work for.
Don't know if This is still going but I am 95% sure got a alureon file "temp.exe". I passed it threw hexrays 1.7 saved as a c file
Let me know what you find as far as the tmp.exe. This came from a persistent xss on a very large corp site i am doing work for.
Attachments
Password: malware and the files are ++Infeted++
(209.21 KiB) Downloaded 145 times
(209.21 KiB) Downloaded 145 times
I am doing some analysis of TDL4 behaviour, for educational purposes. I ran tdl4 binary on few machines.
What i didn't understand was that
1:- TDL4 couldn't contact its server and keep repeating dns failed queries. (internet connection was working well)
2:- It was also doing dns queries other than the list of srv in its cfg.ini file. Where are dns domain list located other then the list provided in cfg.ini file???
3:- I was using version 0.31 binary and it wasn't doing any p2p communication using kad module. Why is that? I thought TDL4 do p2p communication if it couldn't find any server.
I am attaching the binary I was using and list of files on its file system.
What i didn't understand was that
1:- TDL4 couldn't contact its server and keep repeating dns failed queries. (internet connection was working well)
2:- It was also doing dns queries other than the list of srv in its cfg.ini file. Where are dns domain list located other then the list provided in cfg.ini file???
3:- I was using version 0.31 binary and it wasn't doing any p2p communication using kad module. Why is that? I thought TDL4 do p2p communication if it couldn't find any server.
I am attaching the binary I was using and list of files on its file system.