A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2476  by erikloman
 Sat Aug 28, 2010 7:58 pm
Since people are posting here about blog articles from Symantec and Prevx, I might as well post a link to a blog post of a few days ago about Hitman Pro detecting 64-bit TDL3 (sorry no removal yet, but this variant is not yet widespread so we have some time to write removal code :roll: )
http://hitmanpro.wordpress.com/2010/08/ ... 3-rootkit/

There is also a movie illustrating the infection and detection:
http://www.youtube.com/watch?v=rMS-kxbo5fc

I would like to thank Fabian for the dropper and EP_X0FF for this excellent forum.
 #2486  by LeastPrivilege
 Sun Aug 29, 2010 2:59 pm
Microsoft says:
"Proactive detection for this threat and the malware that tries to install it has been available since Aug. 6 for customers of Microsoft Security Essentials...."
Hmmm, somehow I don't believe this. I'm think I will go test this now.
 #2490  by Every1is=
 Sun Aug 29, 2010 6:12 pm
LeastPrivilege wrote:This should be a lesson for people who own retail OEM machines that use recovery partitions to backup their MBR and put it away for safe keeping.
You do NOT want to know how many people get their OEM machines, and as we all know, you almost constantly get hammered with the "create recovery disks" nag-screens. Sometimes you REALLY have go to put in a bit of effort to NOT make them and get that message to disappear. And STILL people won't have their recovery disks when trouble comes around the corner. Its just dumb.

Another thing that just popped into my mind: when is a new version of TDL considered a new variant? There are many versions as I seem to be able to make up from you guys posts. But now that the 64-bit version is here, it is still called the TDL3, while I assume it will have taken them quite a bit of an overhaul to make it there. Sooo... TDL3-x64 then? ;) But when would it be called TDL4, what would justify/qualify it for that? :)
 #2491  by Every1is=
 Sun Aug 29, 2010 6:16 pm
EP_X0FF wrote:MBRCheck will work and detect it AFAIK. Likely remove it also.

x64 detection/analysis/removal tool is currently in development. Well actually it will be cross-platform. However it will be private so no point to discuss it here.
Private... as in... ? Not open source or as in part of a security suite? Or... just a tool which we will have to pay for?
I do think it is worth something. People do not realize how much time and effort goes into fixing this sort of thing and whambamthankyoum'am is nice, but those same people turn around and... well. Dunno. People take it for granted to get helped out for nothing, and even have demands about it. Don't know how to put that correctly in english. Still, I guess you know what i mean.
 #2492  by B-boy/StyLe/
 Sun Aug 29, 2010 9:51 pm
IndiGenus wrote:
LeastPrivilege wrote:This should be a lesson for people who own retail OEM machines that use recovery partitions to backup their MBR and put it away for safe keeping.
Tis a good point. Though most "average" PC users would never know to do this. Nor would they know how it's done even if someone told them. Do any of the OEM's such as Dell, HP, etc... provide a tool for doing this? Something that is a simple point and click tool?
I'm happy enough using http://www.macrium.com/reflectfree.asp

Image

I will gonna test it with TDL3 when I have some free time.


Regards,
G. ;)
 #2493  by LeastPrivilege
 Sun Aug 29, 2010 11:02 pm
UAC effectively prevents the dropper from executing in a Win 7 test box (both x86 and x64). One thing I noticed in my tests, when the dropper executes on 7 (x64), the PC immediately reboots to load the malware while on 7 (x86) it does not. I waited several minutes for an automatic reboot on numerous tests with (x86), but no go. Strange.
 #2494  by Fiery
 Sun Aug 29, 2010 11:14 pm
LeastPrivilege, please read the above. It has already been said that in 64 bit machines, the rootkit reboots the computer immediately in order to infect the PC. While in 32 bit, there is no change from previous versions.
 #2495  by dlimanov
 Mon Aug 30, 2010 2:30 am
Native Win7 bootrex.exe /fixmbr takes care of it on Win7 systems; for all others you can use MBRWix (free CLI version) to restore to original MBR image. Worked like a champ on my VM. I wonder how to correct an infected multiboot MBR if you don't have a backup, looks like you're screwed.
 #2497  by EP_X0FF
 Mon Aug 30, 2010 3:32 am
Every1is= wrote:
EP_X0FF wrote:MBRCheck will work and detect it AFAIK. Likely remove it also.

x64 detection/analysis/removal tool is currently in development. Well actually it will be cross-platform. However it will be private so no point to discuss it here.
Private... as in... ? Not open source or as in part of a security suite? Or... just a tool which we will have to pay for?
No paid :) This is a part of toolkit used by trusted people. Number of users is limited and if I don't know you well you can't get anything from it :) But this is offtopic.
  • 1
  • 9
  • 10
  • 11
  • 12
  • 13
  • 60