detection of TDL3 rootkit

Hey Joe.

Is PrevX able to detect (not the dropper but the rootkit!) AND to clean this rootkit?


I am working as a Malware Removal Assistance for a german AntiMalware Board.
We saw several infections over the last month with this brand new rootkit variant.
This variant has backdoor and elaborated rootkit functionallity and is very dangerous.
The important thing is that it will always send a valid file or checksumm if you try to upload or copy it!
The rootkit is called TDL3 and is described here: http://www.rootkit.com/newsread.php?newsid=979

You can use Combofix with installed recovery console to fix this infection but i would advice you to fix it manually cause CF can cause heavy damage to the system if anything goes wrong with restoring the system files via the recovery console.

Other AntiVirus vendors are helpless in cleaning because they need the original windows files to replace the infected drivers.
I think it should be possible for PrevX to provide the cleaning modul with the original files cause you could grap them from your server. Am i right or terrible wrong?

 

Isnt it this?
http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html

 

Yes you are right.

But i wonder how PrevX cleans this up. That would be very interesting to hear.

 

From that article:

TH

 

Thank you Helix.

I read that article but maybe m englisch is too bad to get that right...

They sa that they are able to detect and clean the infection but will update PrevX to do a better cleanup?
What?

Are they able to detect AND cleanup the infection or not??

Cause if PrevX is able to delete the atapi.sys (for example) without replacing the infected file with a fresh one the computer won't boot anymore.

 

Again:

TH

 

So I get from that article that Prevx can detect it if you try to run the infected file and will block it but if you are already heavily infected then support will help you clean it properly!

TH

 

Ah OK. Thank you for clarification!

So it detects the dropper but not the rootkit. Dammit. That's not what i hoped to hear.

 

With Hitman Pro 3.5 we saw that every time when you infect a system, the driver is infected differently.

In our multi vendor cloud we saw that Prevx was the only one to detect each and every variant whereas NOD32 was the only other vendor that detect some of the infected drivers.

The means that Prevx has much better signature on TDL3 than the other vendors

 

Actually its not about the signature. I have access to some relatively fresh TDL3 dropper and I can see that some vendors have a "signature" for patched files..... but when I tested if these vendors can actually scan and clean this file on an actively infected system, it was a completely different story. Most of normal AV's cant even SEE the infected file let alone clean it!

I know that prevx and kaspersky for sure have updats to their products to provide cleaning and disinfection of this nasty rootkit for actively infected systems.

 

STATUS? Re: detection of TDL3 rootkit

I know PX are working on this and I've got my son's suspect PC quarantined until I can physically access it later this week.

I've been apparently receiving regularl warning emails since 15th but regrettably didn't access these till recently - Normally with his gaming/unhygienic web habits PX adequately blocks/cleans the usual crud and the inevitable FP's (from the aggressive configuration I set) are subsequently corrected "in the cloud" typically before I get time to check these myself within the 24hrs I normally respond with.
This particular variant seems perversely more difficult to "unhook" via a remote session (at least with my limited/geriatric abilities)..... so......

While I appreciate PX3-paws/cloud db will auto update and eventually (hopefully) provide local disinfection it would be useful for a "heads-up" from Joe (if nothing else but to avoid me sloshing a mile thru the rain/floods we're currently enjoying)!.

.....and thanks to anyone who might be about to remind me of "SMS"/text option that is also avaiiable via MyPrevx!

 

I am not talking about the dropper detection as i said before! I am talnking about the rootkit detection.

 

...I was talking about the rootkit detection.

The dropper is irrelevant, it is the patched system files that count.

My point is that an av can have a signature for a patched system file....but its a whole different ball game if it can detect it, because on an actively infected system most av can currently not "see" the infection...because TDL redirects disk access to the infected files in order to show a "clean" version. PX can for sure.

 

thanks Baz

 

We are developing needed detection and cleanup for this infection. Current live version of Prevx is not able to detect the rootkit infection active on the system, (it could sometimes alert because of tdlcmd.dll and tdlwsp.dll, these are some sign of the running infection) but we've developed a private tool we are testing to detect and remove the infection and it's actually working well.

This is why our customers that report signs of the infection can contact our customer support who will fix the infection by remote. When fully tested, it'll be implemented in Prevx

 

I tried Kaspersky TDSS removal tool against one of latest TDSS versions and it looks blind

 

Thank you Eraser for clarification!

Is it possible to get the tool stand alone?

The TDSSKiller.exe version 1.5 is blind against TDL3.
But the TDSSKiller.exe version 2.0 (beta) works fine against TDL3.

 

Check out the attached image (System is infected, of course)

 

Hm, that is too bad!

 

KIS knows it, updated ARK module is currently being tested....the TDDSKiller tool should be updated soon...I sent some dumps to the developers.

Install also triggers PDM and HIPS heuristics.

 

Hmm..PX is reporting that atapi.sys is infected on this system where TDSS is live (other scanners have signature for atapi but cant see its modified)... sure it isn't already removing this shiz?

 

Yes, sometimes it happens but it shouldn't be able to fully remove the infection

 

Definitely true. It's all but a noiseless installation

 

Does this mean that a HIPS program or Anti Executable running alongside Prevx would have alerted to this TDL3 trying to install?
And would Sandboxie have contained it?

 

Mine came with fakeav

I did put files from this computer at MR and sent to Mike if you want to have a look at it.