[frank_boldewin]

How the TLD4 rootkit gets around driver signing policy on a 64-bit machine

http://sunbeltblog.blogspot.com/2010/11 ... river.html

[Blur]

How the TLD4 rootkit gets around driver signing policy on a 64-bit machine

http://sunbeltblog.blogspot.com/2010/11 ... river.html

Lol, you're completly wrong ! Read MS article at last

P.S. LoadIntegrityCheckPolicy removed long time ago...

[EP_X0FF]

@Blur

As in fact this is not Franks article.
Lets give kids in SB a try.

[STRELiTZIA]

Hi, just 4 fun...
TDL3.0 old with two injectors: tdlwsp.dll and tdlcmd.dll for your collection ;)

[main]
version=3.0
botid=f8eae8b1-c356-4f04-a4e4-780e866e8ff2
affid=10064
subid=0
installdate=15.11.2010 11:51:37
[injector]
svchost.exe=tdlcmd.dll
*=tdlwsp.dll
[tdlcmd]
servers=https://h3456345.cn/;https://h9237634.c ... 7.174.173/

TDL path evolution:

ASCII "\\?\globalroot\Device\Ide\IdePort1\stbdvbvp\stbdvbvp\tdlwsp.dll" -->> TDL3.0
ASCII "\\?\globalroot\dpqnbsft\ioyxvpji\tdlcmd.dll" -->> TDL3.273
ASCII "\\?\globalroot\device\00000219\5d3885c0\cmd.dll" -->> TDL4.03

[markusg]

http://www.file-upload.net/download-297 ... 3.rar.html

http://www.virustotal.com/file-scan/rep ... 1289932860

[Meriadoc]

http://www.file-upload.net/download-297 ... 3.rar.html

http://www.virustotal.com/file-scan/rep ... 1289932860

Patches System files and drops a whole lot of crap.

Rootkit
http://www.virustotal.com/file-scan/rep ... 1288024474

Hidden Service foezbhyuo
... registry, kernel level driver foezbhyuo value "1" foezbhyuo also has order of HKLM\SYSTEM\ControlSet\Services\foezbhyuo "Group"="Boot Bus Extender"
foezbhyuo.sys
NDIS.sys both read access so can be difficult.

trash : https://rapidshare.com/files/431425449/trash.rar
pass=malware

LoL,

[Meriadoc]

markusg's sample works better with .NET Framework.

So much to have a look at, of course nondescript file names change.

[PX5]

http://www.virustotal.com/file-scan/rep ... 1290107388

[STRELiTZIA]

http://www.virustotal.com/file-scan/rep ... 1290107388

Hi,

[main]
version=0.03
aid=30002
sid=0
builddate=4096
rnd=1336601894
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=https://rukkeianno.com/;https://kangoji ... 6b6b6.com/
wsrv=http://skolewcho.com/;http://jikdooyt0. ... yjuke.com/
psrv=http://cri71ki813ck.com/
version=0.15

TDL4.03 Files attached.

Regards.

[Jaxryley]

http://www.file-upload.net/download-297 ... 3.rar.html

http://www.virustotal.com/file-scan/rep ... 1289932860

Drops just about everything. Rooters, virut and fake MSE alert.

Had to boot from a live cd then zip ndis.sys in order to harvest.

Droppers.rar

Pass:
malware
(4.04 MiB) Downloaded 106 times