A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2249  by EP_X0FF
 Tue Aug 24, 2010 2:59 pm
This remembers how was revealed Rustock.C in 2007 :) I think we all should just wait. Undetectable rootkits not exists.
According to what we know, dropper is the primary target.
 #2267  by rossetoecioccolato
 Tue Aug 24, 2010 11:47 pm
Bet rossetoecioccolato will love this part.
Not surprising given antivirus's stellar performance at finding new malware. What interests me more is that the program which you display runs without having to rename it or doing anything to disguise its presence. TDL3 doesn't care! He's got nothing to hide. I wonder...
 #2273  by SecConnex
 Wed Aug 25, 2010 2:26 am
^^ It's not like that. Teasing with knowledge is not the aim here. We are all collaborating our efforts to focus on figuring out what this infection routine is all about.
 #2280  by EP_X0FF
 Wed Aug 25, 2010 6:15 am
This data collected by one person (a_d_13) and shared between trusted people, not simple because he want to write an "article" or whatever.

Things shared on principles of trust can be published only with agreement of original researcher.

Take a rest guys, TDL will not eradicate itself today or tomorrow. It will be with us for at least few years.
 #2284  by EP_X0FF
 Wed Aug 25, 2010 9:21 am
Classical TDL3
[main]
version=3.273
quote=I felt like putting a bullet between the eyes of every panda that wouldn't screw to save it's species. I wanted to open the dump valves on oil tankers and smother all those french beaches I'd never see. I wanted to breathe smoke
botid=xxx
affid=xxxx
subid=0
installdate=25.8.2010 9:20:18
builddate=25.8.2010 9:0:5
rnd=1960408961
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://nichtadden.in/;hxxps://91.212.226.67/;hxxps://li1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/;hxxps://lj1i16b0.com/
wspservers=hxxp://zl00zxcv1.com/;hxxp://zloozxcv1.com/;hxxp://71ha6dl01.com/;hxxp://axjau710h.com/;hxxp://rf9akjgh716zzl.com/;hxxp://dsg1tsga64aa17.com/;hxxp://l1i1e3e3oo8as0.com/;hxxp://7gafd33ja90a.com/;hxxp://n1mo661s6cx0.com/
popupservers=hxxp://clkh71yhks66.com/
version=3.941
 #5393  by EP_X0FF
 Thu Mar 10, 2011 4:07 am
TDL3 is back as remake from TDL4 authors.
[main]
version=1.1
botid=3f1b98c6-07dd-4f7d-a650-30bb6f39b0a3
affid=10008
subid=1
installdate=10.3.2011 4:3:4
builddate=8.3.2011 19:35:6
[injector]
*=cmd.dll
[cmd]
servers=hxxp://winupdateserver.su/version;hxxp://softwareupdateservice.ru/version;hxxp://winupdateservices.com/version;hxxp://updateconnection.com/version;hxxp://cloudnanoconnnection.info/version
version=1.0
Servers are not secured. Grab the data.
insert into incoming_log(id1, id2, guid, ver, dom, client_ip, timestamp, country, type) values (1, 1, , , , 213.229.84.96, 1298585207, GB, 1);
Infinite loop of blue screens after reboot.

New tdlcmd attached. It's fully redesigned. Only three commands left: ConfigWrite, DeleteSpecifiedFile, DownloadFile.
Attachments
pass: malware
(4.81 KiB) Downloaded 54 times
bot logs
(409.13 KiB) Downloaded 55 times
pass: malware
(75.51 KiB) Downloaded 63 times
 #5394  by EP_X0FF
 Thu Mar 10, 2011 8:29 am
Bamital extracted from TDL3 command & control server, 2302 items.

Multipart archive divided on 9 parts.
pass: malware
_if chrome.exe firefox.exe opera.exe iexplore.exe c h r o m e . e x e f i r e f o x . e x e o p e r a . e x e i e x p l o r e . e x e GET HTTP/1.1
Host: &version= Run Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry Flag
GetUserGeoID SYSTEM\CurrentControlSet\Services\sr\Parameters SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore FirstRun DisableSR \user32.dll zx.dll z x . d l l spoolsv.exe /message.php .co.cc .co.cz .info .org \updhlp.dat open -new-window <script src="http:// " type="text/javascript"></script> Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
19792079 1979207932 [%subid] <d> </d> <m> </m> <e> </e> <f> </f> <j> </j> <c> </c> <u> </u> <t> </t> <p> </p> <k> </k> <b> </b> <p> </p> <k> </k> [%key] [%subid] </ul> google.com
/ Date: X55 Fut 2999 </title> <r> </r> **http%3a// User-Agent: Accept-Encoding: Content-Type: text/html GET /search GET /s? google. search.yahoo.com bing.com
?subid= &id= \temp.ini \user32.dll TimeGetWork Uses32 ExitTime Ver Decode Domen Flags \admin.txt .gif .jp .png .js .ico .css .aspx / iexplore.exe .upd & q= p= text= "> % <d> </d> <s> </s> <i> </i> &HTTP_REFERER= \ PROCESSOR_IDENTIFIER %3f ? &os= &br= IE Op FF Ch &flg= &ad= &ver= \server.dat \Windows \winhelp.exe Exists555 Explorer555 Global\EventHlpFile
Global\EventHlpFile2 HlpMap555
h3 class="r"><a href="http:// <h3 class=r><a href="http:// <h3 class="r"><a href=" <li class=ta <li class="
ta href=" title> - porno yschttl spt" href="http:// <div><a href="http://search.yahoo.com/r/_ylt <div><a href="http://rds.yahoo.com/_ylt , <em> </em> <a href="http:// sb_tlst"><h3><a href="http:// class="sb_ads <a href="http:// " <em> </em> 19091979 \Server HTTP/1.1 302 Moved Temporarily
Location: Connection: keep-alive
Content-Length: 0
Connection: close
HTTP/1.1 200 OK
<html><head><script language="JavaScript">function f(){var form = document.forms["rr"];form.submit();}if(document.cookie==""){if (history.length!=0) document.cookie="k=1";window.onload=f;}else{document.cookie="k=1;expires=Mon, 01-Jan-2001 00:00:00 GMT";history.back();}</script></head><body><form action="http:// " method="post" name="rr"></form></body></html> 8 / <html><head></head><body><script type="text/javascript">location.href="http:// ";</script></body></html> N
0 <title> </title> <meta keyword > </head> Content-Length: Pragma: no-cache
Accept-Encoding: </body> </html> Host: Referer: http:// gzip sdch none HTTP/1. 200 OK _
Attachments
(311.33 KiB) Downloaded 49 times
(4.25 MiB) Downloaded 46 times
(4.25 MiB) Downloaded 48 times
(4.25 MiB) Downloaded 46 times
(4.25 MiB) Downloaded 45 times
(4.25 MiB) Downloaded 45 times
(4.25 MiB) Downloaded 45 times
(4.25 MiB) Downloaded 50 times
(4.25 MiB) Downloaded 49 times
  • 1
  • 36
  • 37
  • 38
  • 39
  • 40