A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3990  by sww
 Tue Dec 14, 2010 8:30 am
MS article? I saw only silly .ppt presentation.

And i wrote an article much earlier, just can't release it. Too much other work.
 #3992  by EP_X0FF
 Tue Dec 14, 2010 2:32 pm
Drop zone hxxp://www.cracksfinder.com/

All downloads are TDL4 rootkit dropper. Server producing updated downloads every day.

http://www.virustotal.com/file-scan/rep ... 1292348969

Dropper and extracted files attached.
[main]
version=0.03
aid=30212
sid=3
rnd=117609710
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://rukkeianno.com/;hxxps://kangojim1.com/;hxxps://lkaturi71.com/;hxxps://neywrika.in/;hxxps://86b6b6b6.com/
wsrv=hxxp://skolewcho.com/;hxxp://jikdooyt0.com/;hxxp://swltcho81.com/;hxxp://switcho81.com/;hxxp://rammyjuke.com/
psrv=hxxp://cri71ki813ck.com/
version=0.15
Attachments
pass: malware
(183.82 KiB) Downloaded 100 times
 #4000  by Jaxryley
 Wed Dec 15, 2010 3:20 am
 #4001  by EP_X0FF
 Wed Dec 15, 2010 3:47 am
Thanks for samples.

dg.exe is newest TDL4 dropper with exploit on board.
The elk or wapiti is one of the largest species of deer in the world and one of the largest land mammals in North America and eastern Asia. Elk are almost identical to Red Deer in Europe, of which they were long believed to be a subspecies; however, mitochondrial DNA evidence strongly suggests they are distinct species.
[main]
version=0.03
aid=40787
sid=0
rnd=1078081533
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://nl6fa53.com/;hxxps://li1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/;hxxps://lj1i16b0.com/
wsrv=hxxp://ijmgwareh0use.com/;hxxp://cljkcpixelabn.com/;hxxp://thynksn0taeg.com/;hxxp://jimgwareh0use.com/;hxxp://bestbanerget.com/;hxxp://pxlratator.com/
psrv=hxxp://cikh71ynks66.com/;hxxp://clkh71yhks66.com/
version=0.15
others will be analyzed later.

edit:

Another TDL4

http://www.virustotal.com/file-scan/rep ... 1292385322
[main]
version=0.03
aid=30020
sid=0
rnd=1123561945
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://rukkeianno.com/;hxxps://kangojim1.com/;hxxps://lkaturi71.com/;hxxps://neywrika.in/;hxxps://86b6b6b6.com/
wsrv=hxxp://skolewcho.com/;hxxp://jikdooyt0.com/;hxxp://swltcho81.com/;hxxp://switcho81.com/;hxxp://rammyjuke.com/
psrv=hxxp://cri71ki813ck.com/
version=0.15
Second tdl file VT result
http://www.virustotal.com/file-scan/rep ... 1292440069
Attachments
yet another tdl4, pass: malware
(126.42 KiB) Downloaded 81 times
pass: malware
(116.11 KiB) Downloaded 86 times
 #4006  by PX5
 Wed Dec 15, 2010 10:57 am
Typical Koobface....

Should drop current tdl4 and Spyeye, along with koobroot and koob spammer.

Loader is attached, is actually easier way to keep up with current koob links, appears to run in VM ok here.
Attachments
(153.15 KiB) Downloaded 87 times
 #4021  by EP_X0FF
 Wed Dec 15, 2010 7:03 pm
hxxp://huekacugegujed.linkpc.net/maindirectory/

public directory, payload TDL4 rootkit dropper (see second attach for my previous post).
 #4090  by crazypctech2010
 Tue Dec 21, 2010 3:56 pm
Does anyone know if their is a tool that can scan all the computers on the network for this threat or have a script that does this ? I have no way I can run individual removal tools on over 1,000 computers manually.
 #4200  by crazypctech2010
 Thu Dec 30, 2010 2:13 pm
I tried using PSExec but tdsskiller.exe does not run silently, their is no way to make it run quietly and remove the tdss rootkit without user interaction.

Is their any other utility that can remove TDSS/ TDL4 without user input that can be run from the command line ?
  • 1
  • 33
  • 34
  • 35
  • 36
  • 37
  • 60