Rootkit TDL 2 (alias TDSS, Alureon.BK) - Page 2

PRAGMA******

#1156 by ConanTheLibrarian
Sun May 23, 2010 8:45 pm

PRAGMA********

Anyone seen this new TDSS variant?

I locks up the service key so that you can't remove it even when you remove the supporting files. I think its corrupts the key somehow. Regdelnull doesn't help.

Username

ConanTheLibrarian

Posts

56

Joined

Mon Mar 15, 2010 1:12 am

Location

USA

Contact

Re: PRAGMA******

#1158 by Maniac
Sun May 23, 2010 10:19 pm

I think this tool will be useful.
http://noahdfear.net/downloads/PragmaFix.exe

Username

Maniac

Posts

11

Joined

Sun May 09, 2010 2:57 pm

Location

Bulgaria, EU

Contact

Re: PRAGMA******

#1159 by EP_X0FF
Mon May 24, 2010 3:05 am

This one? :)

http://www.virustotal.com/analisis/d159 ... 1274670145
http://www.threatexpert.com/report.aspx ... 1fd314779d

edit:

look like a multiple dropper for Security Center fake av. Container with multiple embedded malwares inside.
Last one embedded malware is a downloader for Data Protection fake av with ability to uninstall detected antimalware products.

C:\WINDOWS\system32\msiexec.exe /i "
UninstallString
Shectro`ocb&#u&ghropotsu&ui`rqgtc&bcrcercb&ih&
ist&eikvsrct(&_is&hccb&ri&tckipc&#u&ui`rqgtc&`it&eittcer&ivctgroih&i`&rnc&#u(
Grrchroih<&O`&
is&bih
r&tckipc&#u&ui`rqgtc*&rnc&vct`itkghec&i`&
ist&eikvsrct&qojj&btgkgroegjj
&bcatgbc(
Vtcuu&$IM$&ri&tckipc&rnc&#u(
Software\Microsoft\Windows\CurrentVersion\Uninstall\
%PROGRAMFILES%\CyberScrub Privacy Suite\unins000.exe
%PROGRAMFILES%\Loaris\Trojan Remover\unins000.exe
{E58B329B-FB28-4874-90DE-0D7CB2709267}
%PROGRAMFILES%\BullGuard Ltd\BullGuard\uninst.exe
%PROGRAMFILES%\eScan\unins000.exe
"%ALLUSERSPROFILE%\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe" REMOVE=TRUE MODIFY=FALSE
"%PROGRAMFILES%\Spyware Doctor\unins000.exe" /LOG
%PROGRAMFILES%\Zone Labs\ZoneAlarm\zauninst.exe
"%PROGRAMFILES%\Enigma Software Group\SpyHunter\Uninstall.exe" "%PROGRAMFILES%\Enigma Software Group\SpyHunter\install.log"
"%PROGRAMFILES%\Hitman Pro 3.5\HitmanPro35.exe" /uninstall
%PROGRAMFILES%\Agnitum\Outpost Firewall Pro\unins000.exe
"%PROGRAMFILES%\AVG\AVG9\setup.exe" /UNINSTALL
"%PROGRAMFILES%\InstallShield Installation Information\{BBE2F69C-4338-11D7-8F0C-00A0244F4E2D}\setup.exe" -runfromtemp -l0x0009
removeonly
"%PROGRAMFILES%\InstallShield Installation Information\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\SETUP.exe" -l0x9 -removeonly
%PROGRAMFILES%\Tall Emu\Online Armor\unins000.exe
"%PROGRAMFILES%\Common Files\Symantec Shared\SymSetup\{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}_15_0_0_58\Setup.exe" /X
"%PROGRAMFILES%\COMODO\COMODO Internet Security\cfpconfg.exe" -u
"%PROGRAMFILES%\Microsoft Security Essentials\setup.exe" /x
AVG8Uninstall
{A6F4DE62-BA95-45B5-B27D-39E5ABB4E77D}
{9D8B0949-7C47-476F-9F06-F900D3B078EA}
{BB0500E8-A6D5-4D66-A4F9-1457530E5B6F}
{E8EA933E-03A2-4E62-9F52-812C72BE2A6B}
{D591CD44-8362-41B4-9765-E315AFFF54FC}
{BDF62CC9-FE60-4F9D-8194-8EB7E6E1412D}
{15C418EB-7675-42be-B2B3-281952DA014D}
{17071117-5BB2-4737-B05B-C5FABD367313}
{034759DA-E21A-4795-BFB3-C66D17FAD183}
InstallWIX_InstallWIX{943B6738-4801-4982-90EC-0442EF7AEB16}
InstallWIX_{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}
InstallWIX_{6580C5A3-2336-4EC5-85F1-3448C5F6208A}
CyberScrub Privacy Suite
Loaris Trojan Remover
Prot Antivirus
BullGuard
E scan
Ad-Aware
Spyware Doctor
ZoneAlarm
SpyHunter
Hitman Pro 3.5
Outpost Firewall Pro
AVG9
Dr. Web
Panda Security
Online Armor
COMODO Internet Security
Microsoft Security Essentials
F-Secure Product 444
F-Secure Pegasus Engine
F-Secure Management Agent
F-Secure Localization API
F-Secure Internet Shield
F-Secure HIPS
F-Secure Help
F-Secure GUI
F-Secure Gemini
F-Secure GateKeeper Interface
F-Secure FWES
F-Secure E-mail Scanning
F-Secure Diagnostics
F-Secure DAAS
F-Secure Automatic Update Agent
F-Secure Anti-Virus Client Security Installer
F-Secure Anti-Virus
F-Secure Anti-Spyware Scanner
F-Secure Anti-Spyware
Malwarebytes' Anti-Malware_is1
NOD32
Agnitum Outpost Security Suite Pro_is1
Avira AntiVir Desktop
MSC
avast!
AntiVir PersonalEdition Classic
AVG8
NIS
Spycheck Antispyware
Kaspersky Internet Security
Symantec
Priwate FireWall
Malwarebytes
Bit Defender
Sophos
Sophos Client Firewall
Sophos Antivirus
Kaspersky 2010
Kaspersky 2008
Kaspersky 2009
F-Secure Web Filter
F-Secure Uninstall
F-Secure TNB
F-Secure Spam Scanner
F-Secure Spam Control
F-Secure Protocol Scanner
regsvr32 /s "
URLInfoAbout
Publisher
DisplayVersion
DisplayName
DisplayIcon
_favdata.dat
ver
subid
affid
Printers\Connections
Installer
%s%s/readdatagateway.php?type=stats&affid=%s&subid=%s&installok&version=%s
-support
-settings
-scan
-buy
-activate
-about
-update

Attachments

malware.rar

pass: malware
(375.15 KiB) Downloaded 77 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Vundo WinSecurity

#1407 by EP_X0FF
Sun Jul 04, 2010 4:17 am

Comes from hxxp://highsecurityscan.com/?affid=336&subid=landing, fake AV scanner page.

Code: Select all

  window.downloadUrl="/dl.php?f=NTcrNjkjNmU1MyE2NX02MyQ3NSo3Ml82OTc0Nzk0OSE2ZS03Mzc0NjEtNmMhNmMpNjU3MjJlfTY1JTc4NjU=";
    window.exploitUrl="/dl.php?f=NTcrNjkjNmU1MyE2NX02MyQ3NSo3Ml82OTc0Nzk0OSE2ZS03Mzc0NjEtNmMhNmMpNjU3MjJlfTY1JTc4NjU=";
    window.malwareScanner.SetCookie("affid", "402");
    window.malwareScanner.SetCookie("subid", "landing");

Drops downloader

http://www.virustotal.com/analisis/132b ... 1278216246

Downloader packed with packer related to TDL2 family (.SRT)

Unpacked downloader readable string

UNKNOWN
%s%s%d.tmp
TMP
Azerbaijan
Belarus
Kazakhstan
Kyrgyzstan
Russia
Uzbekistan
Ukraine
Czech Republic
Poland
.exe
_favdata.dat
\AAB647AB-4C1A-4cf0-9DE5-DD056FABF1F9
Russia

Downloads additional malware from

hxxp://Traffic-Photos.com/ms05/ad
hxxp://www.easysecurityscan.com/ms05/ad
hxxp://www.fastanyprime.com/ms05/ad

http://www.virustotal.com/analisis/ea47 ... 1278216348

Similar to earlier analyzed by me http://forum.sysinternals.com/rootkit-t ... age23.html
Both downloader and payload in attach.

Attachments

Malware.rar

pass: malware
(417.9 KiB) Downloaded 76 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Lavasoft TDL2 2012 research

#14260 by rkhunter
Mon Jun 25, 2012 12:10 pm

Guys, I'm really surprised that someone find interesting in research of TDL2 in 2012
http://www.lavasoft.com/mylavasoft/secu ... ies-part-3.

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Lavasoft TDL2 2012 research

#14269 by nullptr
Mon Jun 25, 2012 2:23 pm

lol

In the next issue we will give an overview of QVOD worm family which extracts rootkit driver to hide start up registry keys.

I can hardly wait!

Username

nullptr

Posts

209

Joined

Sun Mar 14, 2010 6:35 am

Re: Rootkit TDL 2 (alias TDSS, Alureon.BK)

#19031 by EP_X0FF
Sun Apr 21, 2013 3:29 pm

Two TDL2 droppers.

SHA256: 3393dc36f22eff6a277e19dea4cadc7907341f32191903d2c268076cd6393e85
SHA1: a930fe38105a9ad7642a5827e000658119f53894
MD5: 1e8f09925bea0f1d7ffbc002830be876

https://www.virustotal.com/en/file/3393 ... /analysis/

SHA256: fa80397a641ea515d717f96855e1b2a5dbb85957b521755f84c02d26f3118125
SHA1: 6e3bf0397e8b52106290dbc88e8d382cedc48ce1
MD5: 1d87e3882a8b7775ac184fc58518cd81

https://www.virustotal.com/en/file/fa80 ... /analysis/

This crap still can be found ITW.

Attachments

Malware.rar

pass: infected
(169.32 KiB) Downloaded 73 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact