Latest update of Hitman Pro removes TDL3 rootkit

Discussion in 'other anti-virus software' started by erikloman, Nov 30, 2009.

Thread Status:
Not open for further replies.
  1. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    The TDL3 rootkit is currently a large issue for nearly all anti virus programs.
    Hitman Pro 3.5 build 79 is able to detect and remove the TDL3 rootkit.

    More information:

    Hitman Pro: http://www.surfright.nl/en/home/press/hitman-pro-35-removes-tdl3-rootkit

    Prevx: http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html

    Remove malware.com: http://remove-malware.com/malware/malware-warnings/nasty-new-rootkit-patches-atapi-sys/

    Technical information: http://rootbiez.blogspot.com/2009/11/rootkit-tdl3-why-so-serious-lets-put.html
     
  2. Anar

    Anar Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    31
    Well ... beside the fact that you don't detect all variants I have access to, cleaning an infection results in a nice BSOD loop on boot ... my guess is because you deleted my (infected) disk driver:

    Windows XP Professional-2009-11-30-17-45-23.png
     
  3. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    433
    Location:
    Hengelo
    Thanks for posting. What specific driver are you referring to? It can't be a standard Windows driver (like atapi.sys) since Hitman Pro does *not* remove files that are protected by eg. Windows File Protection (WFP). In stead, it uses a new technique to 'replace' the infected file with a clean and safe version (that was eg. still on the system). If a safe file was not found, the infection remains (Hitman Pro doesn't make any changes).
    Anyway, could you provide some details about the infected system (especially the driver file that was infected by TDSS/Alureon)?
     
    Last edited: Nov 30, 2009
  4. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London


    Dr. Web CureIT already detects and cures TLD3, Kaspersky has defs (which also disinfect and cure) in for public testing before general release too: http://forum.kaspersky.com/index.php?showtopic=147016
     
  5. Anar

    Anar Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    31
    No it isn't a standard disk driver and is therefore not protected by the WFP. It's the one installed by VMware (vmscsi.sys). You may want to rethink your cleaning process. Since I have seen different other TLD3 infected drivers that don't belong to Windows as well.
     
  6. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London

    Well what is the chance that real people are going to be using VM's...or bothering to disinfect "infected" ones... rolling back to the last snapshot is probably a lot more pain free and easier. VM's often behave differently to a physical computer.
     
  7. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    :mad:
    The statement about whether the file must belong to WFP is not entirely true. When the pre-infected driver is signed it is also not deleted but queued for replacement by a white driver. If a replacement cannot be found (either from disk or Windows CD), the infection remains.

    I am curious though why the driver was deleted in your VMware session (assuming it was deleted). Over the past weekend we have detected well over 450 infections and none of them resulted in a BSOD.

    Perhaps you have a different variant of TDL3? Can you please send the dropper to erik (at] surfright [dot) nl ?
     
  8. Anar

    Anar Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    31
    For a more real life example ... Hitman just "removed" iaStor.sys (Intel Storage Driver) of my physical test box that got infected by TDL3. Result is again a BSOD on boot.

    I just sent you the infected drivers as well as the dropper by mail.
     
    Last edited: Nov 30, 2009
  9. Sjoeii

    Sjoeii Registered Member

    Joined:
    Aug 26, 2006
    Posts:
    1,240
    Location:
    52?18'51.59"N + 4?56'32.13"O
    Over here it also is tracking Hookcentre.sys
     
  10. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    433
    Location:
    Hengelo
    We have updated Hitman Pro 3.5 to build 80. It will now also handle TDL3 infections on systems with non standard third party disk drivers. Here are the release notes:

    Build 80 (2009-12-01)
    • Fixed a problem removing TDL3 rootkit infection from systems with specific third party drivers.
    • As of build 79, Hitman Pro is digitally signed with a new Microsoft Authenticode certificate.
     
  11. Dundertaker

    Dundertaker Registered Member

    Joined:
    Oct 17, 2009
    Posts:
    385
    Location:
    Land of the Mer Lion
    Hi;

    HitmanPro Build 79 did not update to Build 80. It scanned and is still with "Build 79". When will the update be available?

    Regards!
     
  12. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    If the automatic update fails you can always download the latest version here: www.hitmanpro.com/downloads

    Although I am curious into why your version did not update. The update procedure should start when the splash window appears. A progress bar should indicate the download of the update. What part of this does not occur on your PC ?
     
  13. Anar

    Anar Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    31
    I can confirm that build 80 handles infections of third party disk drivers correctly now. Thanks for the fix :).
     
  14. LagerX

    LagerX Registered Member

    Joined:
    Apr 16, 2008
    Posts:
    540
    I'm great to hear that!
    Well done, Hitman Pro team!:thumb:
     
  15. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    When I go to the link that Erik put here I see version 79, not 80...
     
  16. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    Oops, forgot to update page on the website. The download always points to the latest though, even if the web page states it is an older previous version.
     
  17. LagerX

    LagerX Registered Member

    Joined:
    Apr 16, 2008
    Posts:
    540
    I see build 80
    http://www.surfright.nl/en/hitmanpro
    Maybe this is better link ^^
     
  18. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    There is no 64bit version of .80? It downloads still the 78 version, even when I see that .80 is announced on the page...
     
  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    x64 release is November Decemter 4th.
     
    Last edited: Dec 1, 2009
  20. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    So we have to wait almost a year? ;) I guess you meant December.
     
  21. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Great work to Anar with the testing and follow-up, and Erik and team for keeping a cool head with the program update.
     
  22. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    Hitman Pro build 85 now removes TDL3.22 (also known as TDL3+).

    The TDL3 rootkit infects the hard disk driver, usually atapi.sys or iastor.sys, so that it is loaded when Windows boots.

    Whereas Dr.Web and TDSSKiller successfully removed previous versions of TDL3, only Hitman Pro build 85 is currently able to remove the newer TDL3.22.

    You can PM if you are interested in a sample.
     
  23. EliteKiller

    EliteKiller Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    1,138
    Location:
    TX
    I worked on a pc earlier this afternoon that had the new TDL3+ rootkit. HMP detected the infected atapi.sys and replaced it with a clean copy on reboot. :thumb:
     
  24. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    erik, drwebs beta has been able to remove all versions of TDL3 for some time, including the new versions, their support told me it will be released in an update to everyone (non-beta) in the next week or so.

    https://www.wilderssecurity.com/showpost.php?p=1606541&postcount=836
     
  25. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    newer version out
     
Loading...
Thread Status:
Not open for further replies.