[erikloman]

Hitman Pro can run silently and report centrally in XML.

See here for the command line options:
http://www.surfright.nl/en/downloads/business

[EP_X0FF]

Thread split. PRAGMA related discussion moved to specially created separate thread about TDL modifications

original TDL3 discussion moved to separate topic.

Alureon DNS hijacking bot discussion moved to separate topic.

First thread post updated to include TDL4 common information and links to useful articles/tools.

[Jaxryley]

Reboots my XP VM and seems to self delete?

!http://pdsoft.info/fid01/icvrm.exe

icvrm.exe - 13/42 - Kaspersky - Trojan-Dropper.Win32.TDSS.wgy - MD5 : ab1cbe0624517f8100616bd08dab50a4
http://www.virustotal.com/file-scan/rep ... 1294380451

icvrm.rar

Pass:
infected
(115.36 KiB) Downloaded 85 times

[EP_X0FF]

Usual TDL4

[main]
version=0.03
aid=30067
sid=0
rnd=2052111302
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://9669b6b96b.com/;hxxps://86b6b96b.com/;hxxps://lkaturl11.com/;hxxps://kangojjm1.com/;hxxps://lkaturl71.com/
wsrv=hxxp://gnorenyawr.com/;hxxp://runderwayr.com/;hxxp://jikdoout0.com/hxxp://swltch0o.com/;hxxp://rammjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.15

thread moved

[EP_X0FF]

x86-32 cmd.dll updated to 0.163, cmd64.dll not changed.

in attach dropper and unpacked cmd.dll

D:\projects\cmd\Win32\Release\Temp\cmd\cmd.pdb

Well, let's not start sucking each other's dicks quite yet.
Jules, if you give that fuckin' nimrod fifteen hundred dollars, I'm gonna shoot him on general principles.

[main]
version=0.03
aid=30136
sid=0
rnd=790525478
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://9669b6b96b.com/;hxxps://86b6b96b.com/;hxxps://lkaturl11.com/;hxxps://kangojjm1.com/;hxxps://lkaturl71.com/
wsrv=hxxp://gnorenyawr.com/;hxxp://runderwayr.com/;hxxp://jikdoout0.com/hxxp://swltch0o.com/;hxxp://rammjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.163

[AaLl86]

Hi all!
After hours spent in research i would like to share with you all my own TDL4 analysis paper, that explains how to debug TDL4...
This guide is a brief introduction, but you can find useful information in it...

The analysis paper link is:
http://www.aall86.altervista.org/TDLRoo ... _Paper.pdf

I'll appreciate if someone tell me what does he think about it, and keep in mind that english is not my native language....
Have a nice evening!

by AaLl86

[PerpetualHorizon]

Greetings. Recently blogged about a TDL4 infection, memory analysis with Volatility and dumping TDL filesystem with tool from Michael Ligh. The infection analyzed was from somewhere around October 2010.

http://perpetualhorizon.blogspot.com/20 ... ds-of.html

Thanks for all of the useful information in this thread - this is an excellent resource.

Perpetual Horizon

[rossetoecioccolato]

> For unknown reasons, my memdump tool of choice Moonsols win32dd did *not* work on this box
> - but Mandiants memorydd.bat worked properly. <

Thanks for sharing. Did you ever determine why win32dd didn't work? Did you try renaming it. What command lines did you try?

[PerpetualHorizon]

> For unknown reasons, my memdump tool of choice Moonsols win32dd did *not* work on this box
> - but Mandiants memorydd.bat worked properly. <

Thanks for sharing. Did you ever determine why win32dd didn't work? Did you try renaming it. What command lines did you try?

Rossetoecioccolato,

I'm not sure - I did not try renaming it however. I tried various command lines - but I did not document the failure specifically. In hindsight it would have been good to report to Mathieu. It seemed to be a problem in the core functionality and modifying the command lines didn't make any difference. I'm concerned about evasion of memory dumping tools, but I didn't specifically think that TDL had been engineered to perform an anti-memory dump technique. I have the TDL4 filesystem if you would like to mess with it.

PH

[Quads]

Hmmm, Anyone tried to fix the boot sector (MBR) on a Netbook, so no CD /DVD drive. It is a XP system, and looks like it could be a TDL4 infection and being XP on the restart all that the system gets to now is a flashing white cursor, can't find the Boot Record.

I only have Bootable CD's, but seeing as there is no CD/ DVD drive ...............................

Quads