detection of TDL3 rootkit

EraserHW · Nov 23, 2009

Dark Star 72 said:

Does this mean that a HIPS program or Anti Executable running alongside Prevx would have alerted to this TDL3 trying to install?
And would Sandboxie have contained it?
Click to expand...

Definitely yes. Dropper needs administrator privileges to install the rootkit

Longboard · Nov 24, 2009

When the infected driver runs, it executes the 824 bytes loader which then runs the kernel mode component of the infection. It creates a fake driver object, its relative device object, and hijacks every disk I/O communication at the level of drivers's chain where the infected driver was located (i.e. infected driver could be atapi.sys, or iastor.sys).
Click to expand...

http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html

Does this mean that a HIPS program or Anti Executable running alongside Prevx would have alerted to this TDL3 trying to install
Click to expand...

That is a good question...

Is that a pointer to (re)introduce some granular controls; "Driver protection" ?.

Shouldn't PrevX be better than UAC ??

If there is no visible executable: ?? then the zeroday 'hole' in the cloud has been redefined and exploited.

Hey Marco: good to see you're still part of the team: making more enemies on a grand scale (taking out the bad guys again)

EraserHW · Nov 24, 2009

Longboard said:

http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html
That is a good question...

Is that a pointer to (re)introduce some granular controls; "Driver protection" ?.

Shouldn't PrevX be better than UAC ??

If there is no visible executable: ?? then the zeroday 'hole' in the cloud has been redefined and exploited.

Hey Marco: good to see you're still part of the team: making more enemies on a grand scale (taking out the bad guys again)
Click to expand...

Hi

Prevx and UAC are two totally different things: Prevx is a security software, UAC is a Windows feature used to limit administrator privileges to just specific user choosed applications. They can obviously coexist and I would never disable UAC in my system.

There's a visible executable: it's the dropper used to install the rootkit into the system, and it can be detected and blocked.

Habakuck · Nov 24, 2009

I have one question Marco:

I am running PrevX with all settings at maximum. Will that provide any TDL3 dropper from installing the rootkit?

Longboard · Nov 24, 2009

Prevx and UAC are two totally different things: Prevx is a security software, UAC is a Windows feature used to limit administrator privileges
Click to expand...

Ya got that but as to "better" shouldn't Prevx be acting against every unknown file even with UAC on or off.

Hopefully this is not just semantics: even if 'UAC > allow' clicked, or running with Admin privileges: PrevX will stop some unknown ??

Why not include some more granular user initiated actions for detection of unknowns and/or block exes and/or 'phone homes'. ??

Regards

Log in or Sign up

detection of TDL3 rootkit

EraserHW Malware Expert

Longboard Registered Member

EraserHW Malware Expert

Habakuck Registered Member

Longboard Registered Member

Log in or Sign up

detection of TDL3 rootkit

EraserHW Malware Expert

Longboard Registered Member

EraserHW Malware Expert

Habakuck Registered Member

Longboard Registered Member

Useful Searches