[EP_X0FF]

Thank you for samples ;)

TDL3 is fresh.

[main]
version=3.273
quote=You people voted for Hubert Humphrey, and you killed Jesus
botid=
affid=20787
subid=0
installdate=6.7.2010 10:51:22
builddate=6.7.2010 10:10:13
rnd=515967899
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://19js810300z.com/;hxxps://lj1i16b0.com/;hxxps://li1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/
wspservers=hxxp://zl00zxcv1.com/;hxxp://zloozxcv1.com/;hxxp://71ha6dl01.com/;hxxp://axjau710h.com/;hxxp://rf9akjgh716zzl.com/;hxxp://dsg1tsga64aa17.com/;hxxp://l1i1e3e3oo8as0.com/;hxxp://7gafd33ja90a.com/;hxxp://n1mo661s6cx0.com/
popupservers=hxxp://clkh71yhks66.com/
version=3.82

[Jaxryley]

Code: Select all

hxxp://ad.ghura.pl/dm.exe

dm.exe - Result: 5/41 (12.2%) - MD5...: 4ea493ba60745141ef7be73305352767
http://www.virustotal.com/analisis/7e0a ... 1278414742

dm.rar

Pass:
infected
(80.07 KiB) Downloaded 69 times

[PX5]

seriall.com added tdl3 loader back in a couple days ago, dont know how fresh the sample is itself.

[notkov]

"VERSIONINFO" bug still persists with this sample.

[EP_X0FF]

I believe this bug is "by design", it was since beginning. Nobody expected multiple reinfection of the same system.

[SecConnex]

The version under TDLCMD is correct rather than the one under MAIN, right?

[EP_X0FF]

In [main] section of config.ini stored rootkit component version, since April it is non meaningful, authors stopped to update it. Current version can be determined as 3.28.
In [tdlcmd] stored actual tdlcmd.dll library version. Current last available 3.83/3.82 (difference in servers lists only).
Instead of rootkit itself, tdlcmd.dll can be updated.

[SecConnex]

So, when they update TDLCMD, they are switching server lists?

I see that they only do partial upgrades to only certain components with each release.

[EP_X0FF]

So, when they update TDLCMD, they are switching server lists?

Not only. Usually with servers list update when tdlcmd version "grows" it means some additional modifications.
For example, new configuration values. As you see config.ini divided on parts, each responding for something

[main] - rootkit version, quote to be displayed in debugger for analysts, bot it, affid (see 1 page of this thread for more info) etc.
[injector] - when tdl3 just released there was two libraries - tdlwsp.dll and tdlcmd.dll. This section responsible for dll injection, where * means all running processes.
[tdlcmd] - keeps dll specific information and configuration values (servers, version) etc.

I see that they only do partial upgrades to only certain components with each release.

Currently yes, there no major updates since March. However for fooling AV industry (most of vendors) it is enough.
I believe major developers switched to other project (TDL4?) or simple leaved it.

[SecConnex]

I do have some belief that TDL authors have some connection to a certain rogue AV family.

Over in my group, we have discussions on how possibly the TDL authors can damage a computer without making it unbootable, so they can secure their backdoor access. Right now, they have taken it very far.