A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #10413  by rkhunter
 Fri Dec 16, 2011 5:31 pm
erikloman wrote:Hi all. I am looking for a specific TDL4 (or variant) dropper that uses ACPI.sys (XP 32-bit) to conceal its DEVICE_OBJECT hijacking. Thanks!
As i remember device for hijacking (and driver accordingly) depends from your system configuration (driver stack), not from tdl version...
 #13580  by erikloman
 Thu May 31, 2012 5:41 pm
New variant Alureon.K is spreading.
Blocks tools like aswMBR, TDSSKiller, GMER, etc.
Hooks at miniport level to hide sectors.
Has a watchdog that restores IRP_MJ_SCSI, StartIo pointers if changed; ala TDL3/4.
Loads from extra partition.
Protects both MBR and 'VBR' sector (to hide the extra partition).
Additional partition presumably is a VBR but its not (has NTFS marker, but has partition table as well).
This is what I could gather from infected system past hour.

Anyone has more info on this?
 #13583  by rkhunter
 Thu May 31, 2012 6:40 pm
erikloman wrote:
kmd wrote:what is the diff with maxss? from what i read this is maxss known since last november.
Doh you are right :oops:
I compared the VBR I got from the infected machine with the one in this post and they are the same.
Your reply was very helpful. Thanks!
R.I.P. tdl4 again
 #13919  by krazylary
 Tue Jun 12, 2012 9:03 am
First post Glad to be here.

Don't know if This is still going but I am 95% sure got a alureon file "temp.exe". I passed it threw hexrays 1.7 saved as a c file

Let me know what you find as far as the tmp.exe. This came from a persistent xss on a very large corp site i am doing work for.
Attachments
Password: malware and the files are ++Infeted++
(209.21 KiB) Downloaded 146 times
 #14867  by zaafar
 Wed Jul 25, 2012 11:14 am
I am doing some analysis of TDL4 behaviour, for educational purposes. I ran tdl4 binary on few machines.
What i didn't understand was that

1:- TDL4 couldn't contact its server and keep repeating dns failed queries. (internet connection was working well)
2:- It was also doing dns queries other than the list of srv in its cfg.ini file. Where are dns domain list located other then the list provided in cfg.ini file???
3:- I was using version 0.31 binary and it wasn't doing any p2p communication using kad module. Why is that? I thought TDL4 do p2p communication if it couldn't find any server.


I am attaching the binary I was using and list of files on its file system.
Attachments
TDL4 binary
password:malware

(141.22 KiB) Downloaded 149 times
FIles from TDL4 File System
password:malware

(86.84 KiB) Downloaded 127 times
  • 1
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60