topic Re: TDL evolving in Tech Outpost

TDSSkiller / TDL4

Quads — Mon, 17 May 2010 21:53:14 GMT

TDSSkiller now correctly detects and cures TDL4 (as of Today)

I tested only like 10 minutes ago, The scan checks via the raw I/O.

Screenshot below, plus attached to this post is the log of the scan

Be aware though if you are infected with more than TDL3 / TDL4, like the thread for houston,

http://community.norton.com/t5/Other-Norton-Products/Ads-popping-up-randomly-and-cannot-open-task-manager/td-p/229633

This may mean that TDSSkiller may not work due to other Malware blocking it. Other Malware may have to be stopped first and maybe removed before using TDSSkiller.

Multiple infections have to be stopped a lot of the time in the correct order of steps.

Quads

Re: TDSSkiller / TDL4

Quads — Wed, 19 May 2010 09:34:01 GMT

The latest TDL (Tidserv) I have found,

http://www.virustotal.com/analisis/1531b39e217bbac673b621b0f6a5f020ebae48a216832cf3d038ff65d46d1883-1274240886

I have the list of servers (not posted here)

Quads

Re: TDSSkiller / TDL4

Quads — Wed, 19 May 2010 14:11:24 GMT

UPDATE:

After infecting the PC with the latest installer,

TDSSkiller, Did not detect the driver

TDSS Remover, Did not detect the driver

http://www.virustotal.com/analisis/474509fae08f6040fc69366d628ac7e23645e53e41d3882f2375d2773196daf4-1274276299

Intrusion Prevention

For some reason, (maybe something went wrong, but I had to swap "kernel32.dll" over to.

Quads

Re: TDSSkiller / TDL4

Quads — Thu, 20 May 2010 01:10:30 GMT

I did find a product that doesn't need to be installed scanned and detected the infected swapped drivers,

One Problem, it deleted the drivers while still scanning, didn't wait and ask the user if the files were to be deleted, Just deleted.

Quads

Re: TDSSkiller / TDL4

mo — Fri, 21 May 2010 01:45:11 GMT

Thanks Quads

Does not look like they are slowing down in producing these things.:smileysad:

Re: TDSSkiller / TDL4

Quads — Sun, 23 May 2010 04:29:17 GMT

It the "Backdoor.TDSS.2459" variant that TDSSkiller and TDSS Remover can't detect

Quads

Re: TDSSkiller / TDL4

Quads — Mon, 24 May 2010 09:51:59 GMT

There are Rogues one being "Data Protection" that come with a TDL2 variant "PRAGMA"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA]

"slrd"=dword:00000018

"slrm"=dword:00000005

[HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA\injector]

"explorer.exe"="pragmaserf"

"iexplore.exe"="pragmaserf;pragmabbr"

"firefox.exe"="pragmabbr"

"safari.exe"="pragmabbr"

"chrome.exe"="pragmabbr"

"opera.exe"="pragmabbr"

http://www.virustotal.com/analisis/d159f0059cfb2f1919cd4017e197a9167eca556fd2d32e02fea04ac7c1fd7bb2-1274670145

http://www.threatexpert.com/report.aspx?md5=0d41357d15d5cff6ac74a81fd314779d

With the ability to try and uninstall Security Software as part of the rogue

Quads

Re: TDSSkiller / TDL4

Quads — Tue, 25 May 2010 22:31:51 GMT

Interesting I was reading the Symantec "Backdoor.Tidserv" Writeup

Warning, it's a mix and match of different TDL2's and TDL3's

Including this entry

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\H8SRTd.sys" which actually belongs to "Backdoor.Tidserv.J"

I can see how people reading the writeup are going to get confused, seeing the different variants in one writeup. When a lot of the variants have to be looked at separately due to differences

Including differences in the removal procedures and programs used.

Sure a PC may be infected with more than one TDL2 (more than on set of files and registry entries) or TDL2 +TDL3. But the removal of them have to be looked at differently.

TDL2's can have it's files and registry entries removed / deleted (correctly), TDL3's this is not the case

TDL3's the infected driver (disk controller) has to be swapped with a clean copy, TDL2's this is not the case

TDL3 Infected drivers detected as "Backdoor.Tidserv!inf"

Quads

Re: TDSSkiller / TDL4

Stu — Wed, 26 May 2010 14:57:44 GMT

Nice work , Quads

Re: TDSSkiller / TDL4

Quads — Mon, 31 May 2010 22:17:24 GMT

TDSSkiller has been updated again

Quads

Re: TDSSkiller / TDL4

Quads — Thu, 03 Jun 2010 02:53:48 GMT

One version on TDSS (Tidserv) creates these entries and fools some removal programs in to thinking a Windows file like "userinit.exe" or "kernel32.dll" is infected when the Windows file seems clean Although it could have tried to infect a driver but failed due to some sort of flaw in the file I got. A bug inside a bug.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[file name].exe

C:\WINDOWS\system32\ernel32.dll

C:\System Volume Information\_restore{3CE24A12-6763-49ED-BA82-A731C C696DD0}\RP1\A0000056.dll

C:\WINDOWS\system32\spool\prtprocs\w32x86\[random].dll (can be a few created in that folder)

C:\documents and settings\[username]\application data\[random].exe

Scheduler change: Tasks: d:\windows\tasks\mswd-[random].job

DNS Changer

O17 - HKLM\System\CCS\Services\Tcpip\..\{8F5D3DA0-7FC8-4 9DF-B703-88E747973326}: NameServer = 93.188.162.167,93.188.166.198

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.167,93.188.166.198

O17 - HKLM\System\CS1\Services\Tcpip\..\{8F5D3DA0-7FC8-4 9DF-B703-88E747973326}: NameServer = 93.188.162.167,93.188.166.198

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.162.167,93.188.166.198

O17 - HKLM\System\CS3\Services\Tcpip\..\{8F5D3DA0-7FC8-4 9DF-B703-88E747973326}: NameServer = 93.188.162.167,93.188.166.198

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.167,93.188.166.198

Quads

Re: TDSSkiller / TDL4

mo — Fri, 04 Jun 2010 03:35:09 GMT

Good to know they make mistakes as well...:smileysurprised:

Re: TDSSkiller / TDL4

Quads — Sat, 05 Jun 2010 00:05:25 GMT

I'm not sure is a bug or with someone trying to change things but has left something out of the installer (programming) but this one is to easy for those who can deal to TDL 2, 3, 4 successfully

I got another installer from a Malware researcher I ran the installer and it's the same, with "TDL with a twist".

It's a matter of whether this is like a beta or first build of this change and so will only get better over time.

Quads

Re: TDSSkiller / TDL4

mo — Sat, 05 Jun 2010 00:12:48 GMT

Ok I will sound like a dunce but you meant there was a mistake in the TDL removal software or a mistake/programming error in the TDL itself...sorry if I am a bit slow...:smileywink:

Re: TDSSkiller / TDL4

Quads — Sat, 05 Jun 2010 00:32:00 GMT

A mistake in the TDL, TDSS, Tidserv malware itself.

Quads

Re: TDSSkiller / TDL4

mo — Sun, 06 Jun 2010 06:34:39 GMT

Thanks for making it clearer.Do you think they know it's there and will correct it?

Re: TDSSkiller / TDL4

TracyLCraw — Thu, 10 Jun 2010 17:54:17 GMT

I'm starting to think these things are like unraveling DNA code... :smileyvery-happy:

Re: TDSSkiller / TDL4

mdturner — Thu, 10 Jun 2010 20:06:55 GMT

TracyLCraw wrote:
I'm starting to think these things are like unraveling DNA code... :smileyvery-happy:

Somewhat similar:smileyhappy:

Re: TDSSkiller / TDL4

Quads — Fri, 11 Jun 2010 22:15:53 GMT

Articles on TDL (1,2,3 & unofficial 4) there are other names it's known as.

Has hit number 1

http://www.infoworld.com/t/malware/four-year-old-rootkit-tops-the-charts-pc-threats-791

Pesky rootkit looks like it's getting refined for attacks

Remember Alureon, the pesky rootkit, which hit the Windows enterprise scene in 2006 and absolutely bum rushed some Windows systems earlier this year?

Microsoft does and will for quite some time. The rootkit, which also goes by some of its technical aliases -- TDSS, Zlob and DNSChanger -- has to date infected nearly 2 million Windows systems.

Alureon is the guest of honor rootkit in Microsoft's recently released May Threat Report. Alureon accounted for 18 percent of all malware-infected Windows PCs in May.

This is Alureon's encore performance as the rootkit du jour in the April Threat Report.

Alureon is considered the culprit for the "screen of death," and system crash issues widely reported when users installed Microsoft Security Bulletin MS10-015.

Microsoft Malware Prevention Center staffers Vishal Kapoor and Joe Johnson said there were "several changes to the design of the rootkit to avoid detection and cleaning, revealing that the rootkit is still under active development and distribution."

This means that Alureon is going to be around for a while yet

By Jabulani Leffall

At least it can't beat Quads for PC's that turn up at my door :smileyvery-happy: :smileyvery-happy:

Bring on the next change

Quads

Re: TDSSkiller / TDL4

TracyLCraw — Sun, 13 Jun 2010 19:12:12 GMT

Nice article that you linked to thanks!

Quads to you play detective with this stuff?