TDL3 Rootkit

Discussion in 'Prevx Releases' started by Dark Star 72, Jan 16, 2010.

Thread Status:
Not open for further replies.
  1. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    My router uses a uC linux derivitive. uC linux is an embedded OS.
    Sure, you can call it firmware but it is an embedded OS, just as DD-WRT is an embedded OS.
    Which linux distribution is DD-WRT based on?

    Can you telnet into your remote control or set up a secure shell on it?

    What I wrote is not about the security of embedded OS's like DD-WRT. I don't have any experience with DD-WRT because I have never used it.

    TLD 3 and other trojans do not target DD-WRT. They target computers then devices based on MIPS processors which are running certain versions of embedded linux in order to gain control over networks. The password is not the main target, but used to gain access to a device to modify it.
    Once the router is modified, attacker can drop new malwares onto systems at will. When an AV or AM solution discovers the malware attacker can remote in to drop new version. Router is the new malware dropper.
     
  2. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,814
    Again this all revolves around getting passed the Routers password. Which I'm stating is impossible on variants of firmware, simply because the default password will NEVER be default. But yes on a OPEN environment this can be possible. But 99% of people using this form of firmware will be a Advance user which makes the router even more protected. As they have ether already locked it down, or know how to wipe it before it could possibly do any damage. Again there is a chance this could happen but it's so small that it's not even something to worry about.
     
  3. Surearrow

    Surearrow Registered Member

    Joined:
    Jan 23, 2010
    Posts:
    3
    I'm new here, so please forgive me if this has been covered.

    I have a rootkit that Hitman Pro 3.5.4 Build 86, Prevx 3.0.5.50 and a bunch of others fail to get of my system. I don't know if it is from the TDL family but it seems pretty tenacious like one. Hitman Pro and Prevx seem to be the only two who have detected it, but like I said, no program has been able to remove it yet.

    The file is named okrolrdm.sys and is located in the drivers folder in the system32 directory. It's 746 KB (763,904 bytes) in size and it seems alive because when you read the "Last Modified" date in the file browser, it changes before your eyes to the current time; to the minute. The Prevx data sheet calls it a PCIDUMP.SYS rootkit.

    To my shock Prevx failed to get rid of it. After scan-re-boot-scan, re-boot-scan, re-boot-scan, re-boot-scan, the file still stands and spits in Prevx's eye! I even tried the Prevx's Manual File Cleanup tool! It still did not work! All I got was a Windows text pop-up reading, "A device attached to this system is not functioning.", and then I hear this little, tiny laughter coming from my computer screen (joking, no laughter).

    The infected PC is running an up-to-date Vista OS.

    Does this sound like a 3rd generation TDL? Any advice?
     
  4. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    Hi Surearrow and welcome to Wilders, Prevx Support Forum!

    Can you try to run Prevx in Safe Mode with Networking to see if that will do the job?

    Just in case you don't know what safe mode is just reboot and after seeing the BIOS screen tap F8 a couple of times and choose Safe Mode with Networking and do a scan with Prevx! And not to worry as Prevx Guarantees Clean Up through there support staff!

    HTH,

    TH

    And in case you need support help! http://info.prevx.com/service.asp

    EDIT: Some more info: http://www.threatexpert.com/files/pcidump.sys.html
     
    Last edited: Jan 24, 2010
  5. Surearrow

    Surearrow Registered Member

    Joined:
    Jan 23, 2010
    Posts:
    3
    Thanks Triple Helix!

    Yes, I've tried Prevx in Safe mode and no go! I guess I'll wait up to 2 days to get this solved via the support team.

    I was hoping someone in the forum here maybe had experienced something similar or had knowledge to this, so I could solve this a quickly as possible without having to expose my computer and all my files to any further danger.

    "Urgent" is the operative word that fits my situation right now.
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ Surearrow

    Sure sounds like rootkit symptoms, and quite possibly TDL. Whatever it is you need to get rid of it fast.

    Here's some info which could help.


    How to remove malware belonging to the family Rootkit.Win32.TDSS

    It is possible to disinfect a system infected with malware family Rootkit.Win32.TDSS using the utility TDSSKiller.exe.

    An infection can be detected with utility Gmer. It detects replacement of a “device” object of the system driver

    http://support.kaspersky.com/viruses/solutions?qid=208280684



    Rootkit TDL 3

    http://forum.sysinternals.com/forum_posts.asp?TID=21266&PN=14

    RootRepeal+IceSword are also listed in there which i can vouch for, along with Gmer as very useful tools.


    Autoruns

    See what programs are configured to startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings.

    http://technet.microsoft.com/en-gb/sysinternals/bb795533.aspx

    Autoruns should enable you to see that .SYS driver and disable it. But before you do, if you can copy it and save it and upload it to http://www.virustotal.com to get multiple AV opinions on it. Also a trick which can work, is to create a new notepad .TXT file and then rename it with the same name as that .SYS including the .SYS extension, and boot into safe mode. Then try and delete the malware .SYS and replace it with the fake one. Reboot and see what happens. This is obviously a short term fix, but worth trying in the meantime if all else fails. You can often use this trick with other files such as .EXE .DLL etc etc.

    Other solutions worth trying are these.

    Malwarebytes http://www.malwarebytes.org

    SuperAntiSpyware http://www.superantispyware.com
     
  7. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    Sorry to here it didn't work I think it's best to let there professional staff get this malware completely off your system also it's nice to see them in action even though it's the weekend and you might have to wait! http://www.prevx.com/filenames/X287890823571963381-X1/PCIDUMP.SYS.html

    In the mean time do another scan and save it and send it to report@prevxresearch.com with the link to the thread!

    TH
     

    Attached Files:

    Last edited: Jan 24, 2010
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello Surearrow,
    This definitely sounds like some new version of TDL, although I haven't heard of it affecting PCIDUMP.SYS yet.

    If you could try sending a scan log to us at report@prevxresearch.com as Triple Helix suggested, I think that would be a good first step. If we can't correct it from there, could you try writing into our tech support inbox from http://www.prevx.com/support and create a support ticket there for one of our engineers to assist you?

    When you do that, please send me a PM here of your email address (or from the email you send with the scan log :)) and I'll be sure to get all of the relevant information over to our support technician who will be assisting you.

    I'm sure we'll get this solve very quickly for you! :) Thanks for your patience!
     
  9. Surearrow

    Surearrow Registered Member

    Joined:
    Jan 23, 2010
    Posts:
    3
    Thanks everyone for your help, and I will take your advice and let the Prevx support team work on it first (via remote).

    In the mean time, as a safe back-up plan, I would like to continue to explore further removal scenarios here in this forum.

    I would like to tap into the brain power and vast experience this forum provides.
     
  10. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    You can start with reading of this thread and the links there! https://www.wilderssecurity.com/showthread.php?p=1538690#post1538690

    HTH,

    TH

    EDIT: And please report back with your experience with Prevx support! Thanks!
     
    Last edited: Jan 25, 2010
  11. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    It does not look like you have TDL3 infection but some other. I am very curious in what this might be. Could you expand the row in Hitman Pro to see which partners identified the driver? Prevx should of course be listed, but there might be others and they might have given a name to the infection.
     
  12. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    TDL updated to 3.24
     
  13. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    pmed erikloman
     
  14. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    even 3.241 o_O :)
     
  15. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    yes I think I posted that

    (check dates - hot samples)

    tdlcmd.dll updated :)

    edit: new hot sample tdlcmd.dll updated again.
     
    Last edited: Feb 11, 2010
  16. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    Hi Marco,

    Prevx will block all new variants of TDL correct? Cleaning is a different issue isn't it?

    TIA,

    TH
     
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Correct - there is nothing difficult about blocking TDL3. Cleanup is more difficult, however, which is why we're still taking the approach of having our users write into our customer support inbox if they encounter an issue of not being able to clean properly. We have a tool which we are keeping internal for now which fully cleans TDL3 (we haven't yet found a need to release it publicly and make the cat and mouse game progress faster :))
     
  18. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Update

    3.25
     
  19. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    pm erik : you know where
     
  20. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.