TDL3 and ZeroAccess: More of the same?

Discussion in 'malware problems & news' started by Repne movsb, Aug 9, 2011.

Thread Status:
Not open for further replies.
  1. Repne movsb

    Repne movsb Registered Member

    Joined:
    Sep 27, 2010
    Posts:
    13
    This is going to be an interesting read

    http://blog.webroot.com/2011/08/08/tdl3-and-zeroaccess-more-of-the-same/
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    This seems possible.
     
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    If they're from the same team, then why do they kill each other?
     
  4. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Perhaps because TDL3 rootkits are being detected more and more but ZeroAccess not so much yet?
    Then if an AV/AM would start warning over a TDL3 infection, users might full-format and remove ZeroAccess also?
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yes, that is why they remove each other. But you'd think that if they were the same team they'd find another solution. Perhaps not.
     
  6. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Rereading Marco Giuliani's article forces me to reconsider my notion of removal because of possible detection;

    '...One of the downloaded plugins, called desktop.ini, dropped by the module driver called @800000c0, has an embedded anti-TDL specific routine, able to detect if the system is already infected by the TDL rootkit and, if it’s the case, the routine is going to disable it.

    As malware analysts may recall, the TDL rootkit is comprised of two parts — the kernel mode driver which hides the rootkit on the disk, and the cmd.dll plugin. The latter part is the user mode part that is being injected inside the user mode processes. It acts as an ad-clicker and a fundamental bridge to the command and control server listed in the cfg.ini rootkit file.

    Now, ZeroAccess’s search engine hijacker plugin is able to scan the virtual memory of the process where it resides, looking for TDL’s cmd.dll traces and, if found, automatically recovering the hidden disk path to it and overwriting its code with trash bytes along with the cfg.ini’s TDL configuration file. At the next start-up, the TDL rootkit is still active in kernel mode. However, its payload has been totally disabled, rendering it useless.
    '

    If only the user-land payload is killed, detection of the rootkit isn't prevented.
    So what's left? A PC park, infected with ZeroAccess and a useless rootkit that won't deliver a payload, and thus won't make any money anymore, and which can't be updated anymore?
    The most logical, imho, seems a financial motive; to stop others making money. Did the original crew behind this variant sell it before starting with ZeroAccess? Perhaps a financial dispute there?
    Any dispute with the 'ad-click paying party' would result in a simple C&C server update, right?
    Nvm, I'll stop speculating, back to square one; I don't really get it.
     
    Last edited: Aug 12, 2011
Loading...
Thread Status:
Not open for further replies.