Hey Joe.

Is PrevX able to detect (not the dropper but the rootkit!) AND to clean this rootkit?


I am working as a Malware Removal Assistance for a german AntiMalware Board.
We saw several infections over the last month with this brand new rootkit variant.
This variant has backdoor and elaborated rootkit functionallity and is very dangerous.
The important thing is that it will always send a valid file or checksumm if you try to upload or copy it!
The rootkit is called TDL3 and is described here: http://www.rootkit.com/newsread.php?newsid=979

You can use Combofix with installed recovery console to fix this infection but i would advice you to fix it manually cause CF can cause heavy damage to the system if anything goes wrong with restoring the system files via the recovery console.

Other AntiVirus vendors are helpless in cleaning because they need the original windows files to replace the infected drivers.
I think it should be possible for PrevX to provide the cleaning modul with the original files cause you could grap them from your server. Am i right or terrible wrong?

Isnt it this?
http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html

Yes you are right.

But i wonder how PrevX cleans this up. That would be very interesting to hear.

-{ Quote: "Yes you are right.

But i wonder how PrevX cleans this up. That would be very interesting to hear." }-

From that article:

-{ Quote: "Despite the complexity of the infection we are able to detect and clean the infection and we will update Prevx with appropriate detection and cleanup routines. In the meanwhile, every Prevx customer who has been affected by this infection can contact our technical support who will remove the infection by remote assistance." }-

TH

Thank you Helix.

I read that article but maybe m englisch is too bad to get that right...

They sa that they are able to detect and clean the infection but will update PrevX to do a better cleanup?
What?

Are they able to detect AND cleanup the infection or not??

Cause if PrevX is able to delete the atapi.sys (for example) without replacing the infected file with a fresh one the computer won't boot anymore.

-{ Quote: "Thank you Helix.

I read that article but maybe m englisch is too bad to get that right...

They sa that they are able to detect and clean the infection but will update PrevX to do a better cleanup?
What?

Are they able to detect AND cleanup the infection or not??

Cause if PrevX is able to delete the atapi.sys (for example) without replacing the infected file with a fresh one the computer won't boot anymore." }-

Again:

-{ Quote: "In the meanwhile, every Prevx customer who has been affected by this infection can contact our technical support who will remove the infection by remote assistance. " }-

TH

So I get from that article that Prevx can detect it if you try to run the infected file and will block it but if you are already heavily infected then support will help you clean it properly!

TH

Ah OK. Thank you for clarification!

So it detects the dropper but not the rootkit. Dammit. That's not what i hoped to hear.

With Hitman Pro 3.5 we saw that every time when you infect a system, the driver is infected differently.

In our multi vendor cloud we saw that Prevx was the only one to detect each and every variant whereas NOD32 was the only other vendor that detect some of the infected drivers.

The means that Prevx has much better signature on TDL3 than the other vendors :thumb:

-{ Quote: "With Hitman Pro 3.5 we saw that every time when you infect a system, the driver is infected differently.

In our multi vendor cloud we saw that Prevx was the only one to detect each and every variant whereas NOD32 was the only other vendor that detect some of the infected drivers.

The means that Prevx has much better signature on TDL3 than the other vendors :thumb:" }-


Actually its not about the signature. I have access to some relatively fresh TDL3 dropper and I can see that some vendors have a "signature" for patched files..... but when I tested if these vendors can actually scan and clean this file on an actively infected system, it was a completely different story. Most of normal AV's cant even SEE the infected file let alone clean it!

I know that prevx and kaspersky for sure have updats to their products to provide cleaning and disinfection of this nasty rootkit for actively infected systems.

I know PX are working on this and I've got my son's suspect PC quarantined until I can physically access it later this week.

I've been apparently receiving regularl warning emails since 15th but regrettably didn't access these till recently - Normally with his gaming/unhygienic web habits PX adequately blocks/cleans the usual crud and the inevitable FP's (from the aggressive configuration I set) are subsequently corrected "in the cloud" typically before I get time to check these myself within the 24hrs I normally respond with.
This particular variant seems perversely more difficult to "unhook" via a remote session (at least with my limited/geriatric abilities)..... so......

While I appreciate PX3-paws/cloud db will auto update and eventually (hopefully) provide local disinfection it would be useful for a "heads-up" from Joe (if nothing else but to avoid me sloshing a mile thru the rain/floods we're currently enjoying)!.

.....and thanks to anyone who might be about to remind me of "SMS"/text option that is also avaiiable via MyPrevx! ;)

-{ Quote: "Actually its not about the signature. I have access to some relatively fresh TDL3 dropper and I can see that some vendors have a "signature" for patched files..... but when I tested if these vendors can actually scan and clean this file on an actively infected system, it was a completely different story. Most of normal AV's cant even SEE the infected file let alone clean it!

I know that prevx and kaspersky for sure have updats to their products to provide cleaning and disinfection of this nasty rootkit for actively infected systems." }-
I am not talking about the dropper detection as i said before! I am talnking about the rootkit detection.

-{ Quote: "I am not talking about the dropper detection as i said before! I am talnking about the rootkit detection." }-

...I was talking about the rootkit detection.

The dropper is irrelevant, it is the patched system files that count.

My point is that an av can have a signature for a patched system file....but its a whole different ball game if it can detect it, because on an actively infected system most av can currently not "see" the infection...because TDL redirects disk access to the infected files in order to show a "clean" version. PX can for sure.

thanks Baz

We are developing needed detection and cleanup for this infection. Current live version of Prevx is not able to detect the rootkit infection active on the system, (it could sometimes alert because of tdlcmd.dll and tdlwsp.dll, these are some sign of the running infection) but we've developed a private tool we are testing to detect and remove the infection and it's actually working well.

This is why our customers that report signs of the infection can contact our customer support who will fix the infection by remote. When fully tested, it'll be implemented in Prevx

-{ Quote: "I know that prevx and kaspersky for sure have updats to their products to provide cleaning and disinfection of this nasty rootkit for actively infected systems." }-

I tried Kaspersky TDSS removal tool against one of latest TDSS versions and it looks blind

-{ Quote: "We are developing needed detection and cleanup for this infection. Current live version of Prevx is not able to detect the rootkit infection active on the system, (it could sometimes alert because of tdlcmd.dll and tdlwsp.dll, these are some sign of the running infection) but we've developed a private tool we are testing to detect and remove the infection and it's actually working well.

This is why our customers that report signs of the infection can contact our customer support who will fix the infection by remote. When fully tested, it'll be implemented in Prevx" }-
Thank you Eraser for clarification!

Is it possible to get the tool stand alone?

The TDSSKiller.exe version 1.5 is blind against TDL3.
But the TDSSKiller.exe version 2.0 (beta) works fine against TDL3. ;)

-{ Quote: "Thank you Eraser for clarification!

Is it possible to get the tool stand alone?

The TDSSKiller.exe version 1.5 is blind against TDL3.
But the TDSSKiller.exe version 2.0 (beta) works fine against TDL3. ;)" }-

Check out the attached image :) (System is infected, of course)

Hm, that is too bad! >:(

-{ Quote: "I tried Kaspersky TDSS removal tool against one of latest TDSS versions and it looks blind" }-


KIS knows it, updated ARK module is currently being tested....the TDDSKiller tool should be updated soon...I sent some dumps to the developers.

Install also triggers PDM and HIPS heuristics.

-{ Quote: "We are developing needed detection and cleanup for this infection. Current live version of Prevx is not able to detect the rootkit infection active on the system, (it could sometimes alert because of tdlcmd.dll and tdlwsp.dll, these are some sign of the running infection) but we've developed a private tool we are testing to detect and remove the infection and it's actually working well.

This is why our customers that report signs of the infection can contact our customer support who will fix the infection by remote. When fully tested, it'll be implemented in Prevx" }-


Hmm..PX is reporting that atapi.sys is infected on this system where TDSS is live (other scanners have signature for atapi but cant see its modified)... sure it isn't already removing this shiz?

-{ Quote: "Hmm..PX is reporting that atapi.sys is infected on this system where TDSS is live (other scanners have signature for atapi but cant see its modified)... sure it isn't already removing this shiz?" }-

Yes, sometimes it happens but it shouldn't be able to fully remove the infection

-{ Quote: "Install also triggers PDM and HIPS heuristics." }-

Definitely true. It's all but a noiseless installation :)

-{ Quote: "It's all but a noiseless installation :)" }-
Does this mean that a HIPS program or Anti Executable running alongside Prevx would have alerted to this TDL3 trying to install?
And would Sandboxie have contained it?

-{ Quote: "Definitely true. It's all but a noiseless installation :)" }-

Mine came with fakeav ;D

I did put files from this computer at MR and sent to Mike if you want to have a look at it.

-{ Quote: "Does this mean that a HIPS program or Anti Executable running alongside Prevx would have alerted to this TDL3 trying to install?
And would Sandboxie have contained it?" }-

Definitely yes. Dropper needs administrator privileges to install the rootkit

-{ Quote: "When the infected driver runs, it executes the 824 bytes loader which then runs the kernel mode component of the infection. It creates a fake driver object, its relative device object, and hijacks every disk I/O communication at the level of drivers's chain where the infected driver was located (i.e. infected driver could be atapi.sys, or iastor.sys)." }-http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html-{ Quote: "Does this mean that a HIPS program or Anti Executable running alongside Prevx would have alerted to this TDL3 trying to install" }-
That is a good question...

Is that a pointer to (re)introduce some granular controls; "Driver protection" ?.

Shouldn't PrevX be better than UAC ??

If there is no visible executable: ?? then the zeroday 'hole' in the cloud has been redefined and exploited.

Hey Marco: good to see you're still part of the team: making more enemies on a grand scale (taking out the bad guys again) :thumb: ;D

-{ Quote: "http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html
That is a good question...

Is that a pointer to (re)introduce some granular controls; "Driver protection" ?.

Shouldn't PrevX be better than UAC ??

If there is no visible executable: ?? then the zeroday 'hole' in the cloud has been redefined and exploited.

Hey Marco: good to see you're still part of the team: making more enemies on a grand scale (taking out the bad guys again) :thumb: ;D" }-

Hi :)

Prevx and UAC are two totally different things: Prevx is a security software, UAC is a Windows feature used to limit administrator privileges to just specific user choosed applications. They can obviously coexist and I would never disable UAC in my system.

There's a visible executable: it's the dropper used to install the rootkit into the system, and it can be detected and blocked.

I have one question Marco:

I am running PrevX with all settings at maximum. Will that provide any TDL3 dropper from installing the rootkit?

-{ Quote: "Prevx and UAC are two totally different things: Prevx is a security software, UAC is a Windows feature used to limit administrator privileges" }-Ya got that but as to "better" shouldn't Prevx be acting against every unknown file even with UAC on or off.

Hopefully this is not just semantics: even if 'UAC > allow' clicked, or running with Admin privileges: PrevX will stop some unknown ??

Why not include some more granular user initiated actions for detection of unknowns and/or block exes and/or 'phone homes'. ??

Regards