Latest update of Hitman Pro removes TDL3 rootkit

[erikloman]

The TDL3 rootkit is currently a large issue for nearly all anti virus programs.
Hitman Pro 3.5 build 79 is able to detect and remove the TDL3 rootkit.

More information:

Hitman Pro: http://www.surfright.nl/en/home/pres...s-tdl3-rootkit

Prevx: http://www.prevx.com/blog/139/Tdss-r...s-the-net.html

Remove malware.com: http://remove-malware.com/malware/ma...hes-atapi-sys/

Technical information: http://rootbiez.blogspot.com/2009/11...-lets-put.html

[Anar]

Well ... beside the fact that you don't detect all variants I have access to, cleaning an infection results in a nice BSOD loop on boot ... my guess is because you deleted my (infected) disk driver:

[markloman]

Quote:

Originally Posted by Anar

Well ... beside the fact that you don't detect all variants I have access to, cleaning an infection results in a nice BSOD loop on boot ... my guess is because you deleted my (infected) disk driver:

Thanks for posting. What specific driver are you referring to? It can't be a standard Windows driver (like atapi.sys) since Hitman Pro does *not* remove files that are protected by eg. Windows File Protection (WFP). In stead, it uses a new technique to 'replace' the infected file with a clean and safe version (that was eg. still on the system). If a safe file was not found, the infection remains (Hitman Pro doesn't make any changes).
Anyway, could you provide some details about the infected system (especially the driver file that was infected by TDSS/Alureon)?

[Baz_kasp]

Quote:

Originally Posted by erikloman

The TDL3 rootkit is currently a large issue for nearly all anti virus programs.
Hitman Pro 3.5 build 79 is able to detect and remove the TDL3 rootkit.

More information:

Hitman Pro: http://www.surfright.nl/en/home/pres...s-tdl3-rootkit

Prevx: http://www.prevx.com/blog/139/Tdss-r...s-the-net.html

Remove malware.com: http://remove-malware.com/malware/ma...hes-atapi-sys/

Technical information: http://rootbiez.blogspot.com/2009/11...-lets-put.html

Dr. Web CureIT already detects and cures TLD3, Kaspersky has defs (which also disinfect and cure) in for public testing before general release too: http://forum.kaspersky.com/index.php?showtopic=147016

[Anar]

No it isn't a standard disk driver and is therefore not protected by the WFP. It's the one installed by VMware (vmscsi.sys). You may want to rethink your cleaning process. Since I have seen different other TLD3 infected drivers that don't belong to Windows as well.

[Baz_kasp]

Quote:

Originally Posted by Anar

No it isn't a standard disk driver and is therefore not protected by the WFP. It's the one installed by VMware (vmscsi.sys). You may want to rethink your cleaning process. Since I have seen different other TLD3 infected drivers that don't belong to Windows as well.

Well what is the chance that real people are going to be using VM's...or bothering to disinfect "infected" ones... rolling back to the last snapshot is probably a lot more pain free and easier. VM's often behave differently to a physical computer.

[erikloman]

Quote:

Originally Posted by Anar

No it isn't a standard disk driver and is therefore not protected by the WFP. It's the one installed by VMware (vmscsi.sys). You may want to rethink your cleaning process. Since I have seen different other TLD3 infected drivers that don't belong to Windows as well.

The statement about whether the file must belong to WFP is not entirely true. When the pre-infected driver is signed it is also not deleted but queued for replacement by a white driver. If a replacement cannot be found (either from disk or Windows CD), the infection remains.

I am curious though why the driver was deleted in your VMware session (assuming it was deleted). Over the past weekend we have detected well over 450 infections and none of them resulted in a BSOD.

Perhaps you have a different variant of TDL3? Can you please send the dropper to erik (at] surfright [dot) nl ?

[Anar]

Quote:

Originally Posted by erikloman

The statement about whether the file must belong to WFP is not entirely true. When the pre-infected driver is signed it is also not deleted but queued for replacement by a white driver.

For a more real life example ... Hitman just "removed" iaStor.sys (Intel Storage Driver) of my physical test box that got infected by TDL3. Result is again a BSOD on boot.

I just sent you the infected drivers as well as the dropper by mail.

[Sjoeii]

Over here it also is tracking Hookcentre.sys

[markloman]

We have updated Hitman Pro 3.5 to build 80. It will now also handle TDL3 infections on systems with non standard third party disk drivers. Here are the release notes:

Build 80 (2009-12-01)

• Fixed a problem removing TDL3 rootkit infection from systems with specific third party drivers.
• As of build 79, Hitman Pro is digitally signed with a new Microsoft Authenticode certificate.

[Dundertaker]

Hi;

HitmanPro Build 79 did not update to Build 80. It scanned and is still with "Build 79". When will the update be available?

Regards!

[erikloman]

Quote:

Originally Posted by Dundertaker

Hi;

HitmanPro Build 79 did not update to Build 80. It scanned and is still with "Build 79". When will the update be available?

Regards!

If the automatic update fails you can always download the latest version here: www.hitmanpro.com/downloads

Although I am curious into why your version did not update. The update procedure should start when the splash window appears. A progress bar should indicate the download of the update. What part of this does not occur on your PC ?

[Anar]

I can confirm that build 80 handles infections of third party disk drivers correctly now. Thanks for the fix .

[LagerX]

Quote:

Originally Posted by Anar

I can confirm that build 80 handles infections of third party disk drivers correctly now. Thanks for the fix .

I'm great to hear that!
Well done, Hitman Pro team!

[Edwin024]

When I go to the link that Erik put here I see version 79, not 80...

[erikloman]

Quote:

Originally Posted by Edwin024

When I go to the link that Erik put here I see version 79, not 80...

Oops, forgot to update page on the website. The download always points to the latest though, even if the web page states it is an older previous version.

[LagerX]

Quote:

Originally Posted by Edwin024

When I go to the link that Erik put here I see version 79, not 80...

I see build 80
http://www.surfright.nl/en/hitmanpro
Maybe this is better link ^^

[Edwin024]

There is no 64bit version of .80? It downloads still the 78 version, even when I see that .80 is announced on the page...

[erikloman]

Quote:

Originally Posted by Edwin024

There is no 64bit version of .80? It downloads still the 78 version, even when I see that .80 is announced on the page...

x64 release is November Decemter 4th.

[Edwin024]

So we have to wait almost a year? I guess you meant December.

[Saraceno]

Great work to Anar with the testing and follow-up, and Erik and team for keeping a cool head with the program update.

[erikloman]

Hitman Pro build 85 now removes TDL3.22 (also known as TDL3+).

The TDL3 rootkit infects the hard disk driver, usually atapi.sys or iastor.sys, so that it is loaded when Windows boots.

Whereas Dr.Web and TDSSKiller successfully removed previous versions of TDL3, only Hitman Pro build 85 is currently able to remove the newer TDL3.22.

You can PM if you are interested in a sample.

[EliteKiller]

I worked on a pc earlier this afternoon that had the new TDL3+ rootkit. HMP detected the infected atapi.sys and replaced it with a clean copy on reboot.

[PC__Gamer]

Quote:

Originally Posted by erikloman

Hitman Pro build 85 now removes TDL3.22 (also known as TDL3+).

The TDL3 rootkit infects the hard disk driver, usually atapi.sys or iastor.sys, so that it is loaded when Windows boots.

Whereas Dr.Web and TDSSKiller successfully removed previous versions of TDL3, only Hitman Pro build 85 is currently able to remove the newer TDL3.22.

You can PM if you are interested in a sample.

erik, drwebs beta has been able to remove all versions of TDL3 for some time, including the new versions, their support told me it will be released in an update to everyone (non-beta) in the next week or so.

http://www.wilderssecurity.com/showp...&postcount=836

[Meriadoc]

Quote:

TDL3.22 (also known as TDL3+)

newer version out