detection of TDL3 rootkit

Discussion in 'Prevx Releases' started by Habakuck, Nov 22, 2009.

Thread Status:
Not open for further replies.
  1. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Hey Joe.

    Is PrevX able to detect (not the dropper but the rootkit!) AND to clean this rootkit?


    I am working as a Malware Removal Assistance for a german AntiMalware Board.
    We saw several infections over the last month with this brand new rootkit variant.
    This variant has backdoor and elaborated rootkit functionallity and is very dangerous.
    The important thing is that it will always send a valid file or checksumm if you try to upload or copy it!
    The rootkit is called TDL3 and is described here: http://www.rootkit.com/newsread.php?newsid=979

    You can use Combofix with installed recovery console to fix this infection but i would advice you to fix it manually cause CF can cause heavy damage to the system if anything goes wrong with restoring the system files via the recovery console.

    Other AntiVirus vendors are helpless in cleaning because they need the original windows files to replace the infected drivers.
    I think it should be possible for PrevX to provide the cleaning modul with the original files cause you could grap them from your server. Am i right or terrible wrong?
     
  2. rolarocka

    rolarocka Guest

  3. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Yes you are right.

    But i wonder how PrevX cleans this up. That would be very interesting to hear.
     
  4. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    From that article:

    TH
     
  5. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Thank you Helix.

    I read that article but maybe m englisch is too bad to get that right...

    They sa that they are able to detect and clean the infection but will update PrevX to do a better cleanup?
    What?

    Are they able to detect AND cleanup the infection or not??

    Cause if PrevX is able to delete the atapi.sys (for example) without replacing the infected file with a fresh one the computer won't boot anymore.
     
  6. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Again:

    TH
     
  7. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    So I get from that article that Prevx can detect it if you try to run the infected file and will block it but if you are already heavily infected then support will help you clean it properly!

    TH
     
  8. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Ah OK. Thank you for clarification!

    So it detects the dropper but not the rootkit. Dammit. That's not what i hoped to hear.
     
  9. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,029
    Location:
    Hengelo, The Netherlands
    With Hitman Pro 3.5 we saw that every time when you infect a system, the driver is infected differently.

    In our multi vendor cloud we saw that Prevx was the only one to detect each and every variant whereas NOD32 was the only other vendor that detect some of the infected drivers.

    The means that Prevx has much better signature on TDL3 than the other vendors :thumb:
     
  10. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London

    Actually its not about the signature. I have access to some relatively fresh TDL3 dropper and I can see that some vendors have a "signature" for patched files..... but when I tested if these vendors can actually scan and clean this file on an actively infected system, it was a completely different story. Most of normal AV's cant even SEE the infected file let alone clean it!

    I know that prevx and kaspersky for sure have updats to their products to provide cleaning and disinfection of this nasty rootkit for actively infected systems.
     
  11. horseman

    horseman Registered Member

    Joined:
    Apr 11, 2004
    Posts:
    128
    Location:
    Hove - UK
    STATUS? Re: detection of TDL3 rootkit

    I know PX are working on this and I've got my son's suspect PC quarantined until I can physically access it later this week.

    I've been apparently receiving regularl warning emails since 15th but regrettably didn't access these till recently - Normally with his gaming/unhygienic web habits PX adequately blocks/cleans the usual crud and the inevitable FP's (from the aggressive configuration I set) are subsequently corrected "in the cloud" typically before I get time to check these myself within the 24hrs I normally respond with.
    This particular variant seems perversely more difficult to "unhook" via a remote session (at least with my limited/geriatric abilities)..... so......

    While I appreciate PX3-paws/cloud db will auto update and eventually (hopefully) provide local disinfection it would be useful for a "heads-up" from Joe (if nothing else but to avoid me sloshing a mile thru the rain/floods we're currently enjoying)!.

    .....and thanks to anyone who might be about to remind me of "SMS"/text option that is also avaiiable via MyPrevx! ;)
     
  12. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    I am not talking about the dropper detection as i said before! I am talnking about the rootkit detection.
     
  13. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    ...I was talking about the rootkit detection.

    The dropper is irrelevant, it is the patched system files that count.

    My point is that an av can have a signature for a patched system file....but its a whole different ball game if it can detect it, because on an actively infected system most av can currently not "see" the infection...because TDL redirects disk access to the infected files in order to show a "clean" version. PX can for sure.
     
    Last edited: Nov 23, 2009
  14. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    thanks Baz
     
  15. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    We are developing needed detection and cleanup for this infection. Current live version of Prevx is not able to detect the rootkit infection active on the system, (it could sometimes alert because of tdlcmd.dll and tdlwsp.dll, these are some sign of the running infection) but we've developed a private tool we are testing to detect and remove the infection and it's actually working well.

    This is why our customers that report signs of the infection can contact our customer support who will fix the infection by remote. When fully tested, it'll be implemented in Prevx
     
  16. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    I tried Kaspersky TDSS removal tool against one of latest TDSS versions and it looks blind
     
  17. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Thank you Eraser for clarification!

    Is it possible to get the tool stand alone?

    The TDSSKiller.exe version 1.5 is blind against TDL3.
    But the TDSSKiller.exe version 2.0 (beta) works fine against TDL3. ;)
     
  18. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Check out the attached image :) (System is infected, of course)
     

    Attached Files:

  19. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Hm, that is too bad! :mad:
     
  20. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London

    KIS knows it, updated ARK module is currently being tested....the TDDSKiller tool should be updated soon...I sent some dumps to the developers.

    Install also triggers PDM and HIPS heuristics.
     
  21. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London

    Hmm..PX is reporting that atapi.sys is infected on this system where TDSS is live (other scanners have signature for atapi but cant see its modified)... sure it isn't already removing this shiz?
     
  22. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Yes, sometimes it happens but it shouldn't be able to fully remove the infection
     
  23. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Definitely true. It's all but a noiseless installation :)
     
  24. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    Does this mean that a HIPS program or Anti Executable running alongside Prevx would have alerted to this TDL3 trying to install?
    And would Sandboxie have contained it?
     
  25. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    Mine came with fakeav :D

    I did put files from this computer at MR and sent to Mike if you want to have a look at it.
     
Thread Status:
Not open for further replies.