A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #6123  by PX5
 Sun May 01, 2011 8:31 am
Hang it up folks, dont a single cleaner work on the current infection, no need boasting this cleaner does or this cleaner doesnt.

Even in 2 live cases, attempts to boot from a Windows CD failed, I even tried booting from the UBCD4Win and it failed as well, so they have figured a way to monitor/hook cd-roms/DVD

Thought maybe it was a single isolated case but finding out other friends in the industry are running into the same scenario.

Again I state, Nothing will clean this, esage and avast cleaners detect but fail to clean, after reboot, wait 7 minutes and youll see what Im talking about. ;)

------------------

Heh!....I stand corrected, using the latest build of the Avast tool appears to have successfully cleaned up a single core XP SP2 box.
Last edited by PX5 on Sun May 01, 2011 12:43 pm, edited 1 time in total.
 #6125  by erikloman
 Sun May 01, 2011 8:39 am
USForce wrote:Nothing too relevant, just changed the disposition of the hook devices. Anyway looks like there's a bug in this variant of TDL dropper when infecting x64 versions of Windows. Here it goes in a infinite loop when trying to call ZwDeviceIoControlFile with IOCTL_SCSI_PASS_THROUGH_DIRECT
I am having trouble as well trying to successfully run the sample on x64. Occasional freezing startups and occasional BSOD after login. I have never been able to successful reached the desktop after infection. I am sure TDL4 authors are working on it and this sample is just a prelude of things to come ...
 #6133  by erikloman
 Sun May 01, 2011 10:08 am
PX5 wrote:Even in 2 live cases, attempts to boot from a Windows CD failed, I even tried booting from the UBCD4Win and it failed as well, so they have figured a way to monitor/hook cd-roms/DVD
I think that problem is not TDL4 related but a problem of the PC itself. If this was actually caused by TDL4 then this would be a very big advancement in rootkit technology. IMO, improbable, but not impossible.
 #6137  by PX5
 Sun May 01, 2011 10:25 am
OK, just built live x64 Win7 machine, will do some more testing with USForce today.

Here are a few loaders that appear to have just hit our DB today.

3b07f3a8d03e357f82669e3e4eb51880
c6594a8d0b97048f4ca78ef07519ec8f
77a38231ed28c510c0710a9186b2bd7d
aa0226ca73acce147937cfee3e4f03b6
fb78b33c6862591573bc76f5e1e5aea7
089f0e7b6822755cc95d7e9fac045958
Attachments
(1.19 MiB) Downloaded 163 times
 #6138  by PX5
 Sun May 01, 2011 1:24 pm
Win7 X64 live box, fully updated...

loader crashed the box,
got something about .net borking then it bsoded,
startup repair is running,

startup repair appears stuck :lol:
 #6143  by InsaneKaos
 Sun May 01, 2011 5:53 pm
@erikloman
Am I doing something wrong or are these tools only capable working with some versions of atapi.sys and not with other miniport drivers (like the vmscsi, storport, ataport, etc.)?
The tools should be able to work with it, but I think that TDL can intercept here before any tool is able to touch the MBR. I don't know, I've never tested it with other miniport drivers.

@PX5
Even in 2 live cases, attempts to boot from a Windows CD failed, I even tried booting from the UBCD4Win and it failed as well, so they have figured a way to monitor/hook cd-roms/DVD
At BIOS-Bootup there is no way for the rootkit to hook the CD-Rom, normally. TDL begins to start after MBR is loaded.
Maybe, if the Live-CD was created on the infected system. Otherwise they have to patch a lot of different BIOS-Systems or the firmware of the CD/DVD itself.

Do the CD-Rom working correctly when Windows is loaded? If the CD-Rom is affected in any way by the rootkit, it could be possible that the firmware is patched. Maybe overwriting something like the ability to boot.

Are these systems booted up by BIOS or do they already use UEFI?
  • 1
  • 41
  • 42
  • 43
  • 44
  • 45
  • 60