A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #376  by EP_X0FF
 Sun Mar 21, 2010 5:18 am
Downloader coming from tdss sites

VirusTotal
http://www.virustotal.com/analisis/853f ... 1269148478

Contains inside list of malware to download and self-deletion code.
> nul
/c del
COMSPEC
%skzwtguher.php?adv=adv447&code1=%s&code2=%s&id=%d&p=%s
%sddok.exe
%siolylzjjg.php?adv=adv447
%sbwadvg.exe
%sxekgqer.php?adv=adv447
%sstrcul.exe
%sekhrrfst.php?adv=adv447
%snxbtc.exe
%sybxliiv.php?adv=adv447
%splfyaqpj.exe
%swczjgtqqnk.php?adv=adv447
%snfylrs.exe
%sadmwk.php?adv=adv447
%svqaq.e
wZZ
Open
> nul
/c del
COMSPEC
%skzwtguher.php?adv=adv447&code1=%s&code2=%s&id=%d&p=%s
%sddok.exe
%siolylzjjg.php?adv=adv447
%sbwadvg.exe
%sxekgqer.php?adv=adv447
%sstrcul.exe
%sekhrrfst.php?adv=adv447
%snxbtc.exe
%sybxliiv.php?adv=adv447
%splfyaqpj.exe
%swczjgtqqnk.php?adv=adv447
%snfylrs.exe
%sadmwk.php?adv=adv447
%svqaq.exe
%stjgcdnnak.php?adv=adv447
%svqovnpnr.exe
%sgmvsjkh.php?adv=adv447
%slnfl.exe
%stfllijwxgu.php?adv=adv447
%sxsgv.exe
%setqrnbbym.php?adv=adv447
%sldrldu.exe
%syekhhiijfg.php?adv=adv447
%sbirqakky.php?adv=adv447
_hxxp://bastocks.com/maczjwtq/
_hxxp://aahydrogen.com/maczjwtq/
ver52
 #386  by Meriadoc
 Mon Mar 22, 2010 1:23 pm
Waiting for update :)

sample of strings from latest sample
File: keygen_dmp
MD5: b3f6f4ee6b66d3a61a2983dfcedd176c
!This program cannot be run in DOS mode.
DRich
.text
`.rdata
@.data
.tdl
.rsrc
@.reloc
kernel32.dll
VirtualAlloc
GetModuleHandleW
LocalAlloc
FreeLibraryAndExitThread
GetShortPathNameA
GetCurrentDirectoryA
HeapCreate
Sleep
??1bad_cast@@UAE@XZ
1/142
3;3P3n3x3
then
priest
plague
ethe
skin
ewhite;
hspoke
skin,
plague;
ereddish-white,
boil,

IDDQD!
IDDQD!
IDDQD!
bible and hidden code references, IDDQD - DOOM code, God mode/invincible :)
 #417  by EP_X0FF
 Wed Mar 24, 2010 11:46 am
Jaxryley wrote:hxxp://91.212.226.182/cut4765.exe
Hello and thank you for the sample :)

It is 6 days old TDL3.
[main]
quote=Dude, meet me in Montana XX00, Jesus (H. Christ)
version=3.273
installdate=24.3.2010 11:40:28
builddate=19.3.2010 13:15:0
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://873hgf7xx60.com/;https://34jh7a ... 61.20.132/
wspservers=http://lk01ha71gg1.cc/;http://zl091kha6 ... 4555j.com/
popupservers=http://zxclk9abnz72.com/
version=3.74
Long time nothing new from TDL crew :)

Regards.
 #422  by vernalex
 Wed Mar 24, 2010 5:04 pm
First I would like to thank you all for your work and any information you have posted. I originally found the SysInternals forum on TDL3 and I found the link to this forum from there. This information has been wonderfully useful and saved me a lot of time.

But, I also have a question. Does anyone know how TDL3 infects computers?

I've seen with other malware programs infect computers with a browser image that purports to be a virus scanner (such as Antivirus 2009, Antivirus 2010, General Antivirus, Security Antivirus, Security Tool, etc. as in the screenshot) and they convince the user to install an executable that then compromises their machines. Has anyone seen a computer comprised with TDL in this way (social engineering)? Or are they installing through security vulnerabilities (unpatched Adobe Reader, Flash, Java, etc. exploits)?

So, while I now have the tools to cure these infections I am curious as to how to prevent them because where I work we have Symantec Antivirus and it seems mostly useless in fighting the infections. If you have any information about this then please let me know. And if you have a link of a website that tries to infect you that would be most useful too (good idea to message me with it instead of posting it though so someone doesn't accidentally infect themselves).

Thank you! :)
malware.png
Not saved from a TDL infection, but does TDL infect a computer in a similar way?
malware.png (157.82 KiB) Viewed 592 times
 #423  by EP_X0FF
 Wed Mar 24, 2010 5:22 pm
Hi,

generally tdl3 comes as:

1. video codecs installers
(video jokes that requires download and installing additional video codecs, this usually bypasses Vista/7 User Accounts Control, because user allows installation, some sort of social engineering)

NOT a tdl3, but example for a conception
_hxxp://video-info.info/show.php
payload, so called video codec - Trojan Downloader http://www.virustotal.com/analisis/222e ... 1269451721

2. payload of some fake av's
(they download tdl3 rootkit as "updates")

3. keygens and cracks
(they comes as keygens/cracks, sometimes as addition with legitimate software, while they are eventually not, good example keygen.name drop site - every file from this site is malware)

4. installing through exploits
(user accessing web site with compromised web-browser, site executing exploit, payload - downloading and starting rootkit dropper)

To avoid tdl3 (as well as many others infections)

1. Do not use IE. Never. Even if 11 version will be claimed as world most secured browser. Internet Explorer is the number 1 in priority for malware researches and writers.
2. Do not start anything you don't know what is it - if you really need this - try before running it on virtual machine.
3. Check suspicious files before executing through free online scanners such as VT/VirScan
4. Download and always install updates for software (especially browsers, Adobe products) and operation system.
5. If it is possible then switch to most secured x64 Windows version which is currently Windows 7 (UAC turned on, MSE/WFirewall installed for example). Yes, it is just a question of time, when malware will migrate to x64 but currently it is best practice against most of kernel mode rootkits such as TDL3.

Regards.
 #474  by EP_X0FF
 Sat Mar 27, 2010 2:18 pm
Yes I can confirm. Updated Norman TDSS Cleaner was able to detect and remove TDL 3.273. First post updated.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 40