A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1006  by EP_X0FF
 Thu May 06, 2010 4:53 pm
Thanks for the sample :D
It has wonderful payload
[tasks]
552010111050=!hxxp://sokam.info/admnew2/Dr.exe
VirusTotal
http://www.virustotal.com/analisis/7d3c ... 1273164676

BHO, dropped as
Internet Explorer Plugin Javascript Debugger RoverSoft LLC c:\windows\system32\nuxmuhj85.dll
Attachments
pass: malware
(43.24 KiB) Downloaded 82 times
 #1026  by EP_X0FF
 Fri May 07, 2010 1:33 pm
Hello,

Offtopic content deleted.

To new posters:
If you have something new about TDL3 to post - feel free to do that, but please read before first post of this thread. It has a lot of interesting information about subject of this thread.

Please understand: We do not collect out-dated information about TDL or kernel mode trojans.

Regards.
 #1047  by notkov
 Sun May 09, 2010 8:20 pm
Hi,

@EP_XOFF
I do not understand... Are we interested in fresh samples, or only in new versions? Are you sure that they change the "version" with every new feature added ?
Someone said that they keep changing it, and leave the version number.
 #1048  by gjf
 Sun May 09, 2010 8:48 pm
notkov, you should understand: TDL3 actually consists of dropper, kernelmode part and injected usermode dll. If the author changes dropping mechanism - well, it's interesting. Kernelmode part - very interesting. Usermode dll - OK, it's good, but not much.

"New samples" mostly are just a repacked versions of the same malware with the same dropper/kernelmode part and mostly allways - usermode part. So these samples are useless, because they are the same. Just if you will take one document and compress it using RAR, ZIP, 7-ZIP, TAR - the document will remains the same, but in different files.
 #1049  by notkov
 Sun May 09, 2010 9:49 pm
Ok, what about my other question? I wasn't talking about re-packed samples.

"Are you sure that they change the "version" with every new feature added ?
Someone said that they keep changing it, and leave the version number."

Thank you.
 #1050  by EP_X0FF
 Mon May 10, 2010 2:56 am
Hello,
Are you sure that they change the "version" with every new feature added ?
No, they changed tactic to fool analysts. This is not a secret that some labs sorting samples by their version. They keep changing version id's well for a long time, so all got accustomed for this behavior. TDL team read security forums etc. Currently they are changing only tdlcmd.dll version (and it depends from drop zone mostly, for example 741 and 74 version were in same time, now 741 and 747). Without preliminary analysis it is hard to tell what kind of sample you have found, config data version is not trustworthy. Several different custom packers used to fool analysis based on size etc. Dropper code also evolving - new ways to bypass lame HIPS were added, so it now different than code posted in t4l article. So answer will be - play with samples and if something new from your opinion is discovered feel free to post them here.

Regards.
 #1053  by notkov
 Mon May 10, 2010 8:16 am
Thanks for your answer, EP_XOFF.
I think you should change this phrase, from first post:
4. Please do not post identical version samples!
For example if 3.273 was already posted there is no reasons to post the same version again even if it is fresh today build.
While it is possible for same version samples, to be different.

Thank you.
 #1054  by fatdcuk
 Mon May 10, 2010 11:12 am
fatdcuk wrote:Unsure if any revisions but out with Arnie and Sly...Bring on Brucey :P Whos is next ......place your bets!

http://www.virustotal.com/analisis/06e3 ... 1272379321

Have phun!
Muscleman to ninja makeover on the P2P bundled dropper introducing Bruce Lee

Maybe Chuck Norris coming soon :lol:
Attachments
(67.83 KiB) Downloaded 92 times
  • 1
  • 12
  • 13
  • 14
  • 15
  • 16
  • 40