Latest TDL3 rootkit and GesWall

Discussion in 'other anti-malware software' started by aigle, Dec 10, 2009.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I had two samples and tried them in GesWall last night, just out of curiosity. As expected the dropper died very rapidly trying in vain to install the rootkit.

    First sample.

    1.jpg
    1 (1).jpg
    1 (2).jpg
    1 (3).jpg
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    2nd sample with same results.

    1 (4).jpg 1 (5).jpg
    1 (7).jpg 1 (8).jpg
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Geswall logs.
     

    Attached Files:

  4. Hi aigle.

    Can you send me that sample please? (If you have any other TDL3 rookits send those too if possible). I would like to test them against CIS v4 when it gets in mods hands.

    Thanks mate!
     
  5. ViVek

    ViVek Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    584
    Location:
    Moon
    nice geswall...........really nice.........
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    This is the beauty of a sandbox, they are strong agianst malware.
     
  7. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    I hope Geswall release their Win7 64-bit version soon. Had the same xp setup as you aigle without Key
    Scrambler. Sure do miss both:'(
     
  8. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    778
    Would all the denied and redirected traces in GesWall have been removed from the computer after a reboot? ie: Would the computer have been clean, as it was before. Or would it be like in DefenseWall where although the infection/traces are inert they have to be manually removed via the rollback facility.
     
  9. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    Hi aigle, I see that D+ didn't give an alert about the temp-file creation for the first sample. but it should be, shouldn't it?

    I think you haven't tested it properly, because D+ alerts of the temp-file creation for the second sample. It is either that or D+'s file protection is buggy.
     
  10. ViVek

    ViVek Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    584
    Location:
    Moon
    i wonder when comes GW 3 ............this app is amazing.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan

    I am waiting for 64 -bit and version 3 too.
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    GesWall is very similar to DW with some differences. In GW:

    1- All registry redirects are erased instantly even before the reboot as they are virtualized enteries.
    2- All file/ registry denials leave no traces as the file creation/ modification is denied here.
    3- Most file creations are sandboxed, files remain but they are tagged and harmless unless executed as trusted. In this case there was no such file.
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I am not sure. I think two samples are behaving a bit different. To test it fully we need to execute them out the sandbox.

    I don,t think that there is any bypass of file protection of CFP.
     
  14. _kronos_

    _kronos_ Registered Member

    Joined:
    Dec 8, 2008
    Posts:
    126
    Hi Aigle!
    Really appreciated your test.. have you tried MD too?:)

    Regards
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    MD will stop it of course. Actually it,s not installed ATM.
     
  16. _kronos_

    _kronos_ Registered Member

    Joined:
    Dec 8, 2008
    Posts:
    126
    Thanks;)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.