A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2111  by SecConnex
 Fri Aug 20, 2010 7:31 am
A lot of times (or which I have seen), GMER likes to show subtle hints, when it cannot fully detect the rootkit.

Such as modification of atapi.sys:

Device | -> \Driver\atapi \Device\Harddisk0\DR0 | Value: XXXXXXXX

or

Revealing of invalid driver:

Address 1 & Address 2: is not a driver object

or

Odd SSDT

NtDUMPxxxxxxxx


(xxxxxxxx or XXXXXXXX stands for random address value)


The question is, why would a driver dump data randomly?
 #2112  by EP_X0FF
 Fri Aug 20, 2010 8:48 am
GMER bugs? :)
Such as modification of atapi.sys:
Device | -> \Driver\atapi \Device\Harddisk0\DR0 | Value: XXXXXXXX
This is how GMER lists unknown IRP handler for stack device which belongs to TDL3.

Here my example that doing the same but with WinDBG.
http://forum.sysinternals.com/help-ie8- ... ack#113867
 #2113  by EP_X0FF
 Fri Aug 20, 2010 8:56 am
This is how now looks config.ini (renamed to cfg.ini)
Actual servers values removed.
[main]
version=0.01
aid=xxx
sid=0
rnd=x
knt=x
[inject]
*=cmd.dll
[cmd]
srv=https://
wsrv=http://
psrv=http://xxx/
version=0.1
bsh=xxx
delay=7200
csrv=http://xxxx/
Highly appreciated any help with getting workable dropper of this TDL variant.
 #2115  by EP_X0FF
 Fri Aug 20, 2010 10:41 am
Thank you for samples,

1281520512_exe.PE is classical TDL3

config.ini
[main]
version=3.273
quote=I felt like putting a bullet between the eyes of every panda that wouldn't screw to save it's species. I wanted to open the dump valves on oil tankers and smother all those french beaches I'd never see. I wanted to breathe smoke
botid=xxxx
affid=20034
subid=0
installdate=20.8.2010 10:36:45
builddate=11.8.2010 9:55:11
rnd=1960408961
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://nichtadden.in/;hxxps://91.212.226.67/;hxxps://li1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/;hxxps://lj1i16b0.com/
wspservers=hxxp://zl00zxcv1.com/;hxxp://zloozxcv1.com/;hxxp://71ha6dl01.com/;hxxp://axjau710h.com/;hxxp://rf9akjgh716zzl.com/;hxxp://dsg1tsga64aa17.com/;hxxp://l1i1e3e3oo8as0.com/;hxxp://7gafd33ja90a.com/;hxxp://n1mo661s6cx0.com/
popupservers=hxxp://clkh71yhks66.com/
version=3.941
reviewing next one, will update at few minutes

E_tmp.PE the same sample.
F_tmp.PE the same sample patched by tdl loader to be dll (for injecting to spooler).
last one also not matching new tdl.

Regarding amount of new stuff introduced by this new TDL, it's dropper size should be around 100-200 kb.
Last edited by EP_X0FF on Fri Aug 20, 2010 10:49 am, edited 4 times in total. Reason: info added
 #2134  by Meriadoc
 Fri Aug 20, 2010 5:43 pm
Ah changes :) . Config has changed with no server info.
 #2135  by EP_X0FF
 Fri Aug 20, 2010 5:47 pm
Meriadoc wrote:Config has changed with no server info.
Well actually I removed them manually :)
While we all not sure, what we have, it is evolving very quickly.

here is new (thanks to a_d_13), aid, server info removed
[main]
version=0.02
aid=x
sid=0
builddate=x
rnd=854245398
knt=1282302355
[inject]
*=cmd.dll
[cmd]
srv=https://xxx.com/;https://xxx/;https://x ... ps://xxxx/
wsrv=http://xxx.com/;http://xxxx/;http://xxx ... ttp://xxx/
psrv=http://xxxx.com/
version=0.11
bsh=xxxx
delay=7200
csrv=http://xxxxxxxx.com/
Indeed contains fully working x64 loader driver.
Tdl dropper wanted :)
  • 1
  • 32
  • 33
  • 34
  • 35
  • 36
  • 40