TDL3 Rootkit

Discussion in 'Prevx Releases' started by Dark Star 72, Jan 16, 2010.

Thread Status:
Not open for further replies.
  1. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    You kicked it up a notch from Max/Med/Med
    and I kicked it down a notch from Max/Max/Max.
    So post back and let me know if the change makes any difference in your operation.
    I'll do the same.
    Max/High/High might just be the ticket.
    I was running with heuristics too high. Prevx was alerting on avast drivers and hitmanpro stuff.
    Hopefully I've toned it down, and I can always drop further to Max/Med/Med if need be, but I do like the concept (if not the reality) of heuristics set high.
     
  2. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    So far so good on Max/High/High! :thumb:

    TH
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    i have it at max/max/max with no isues or fp:)
     
  4. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Win32/Alureon.gen!J

    More of: Routers attacked by malware.
    Should change default passwords, aye?
     
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Indeed - we've seen quite a few different infections which do this. We strongly recommend changing the default router passwords to prevent malware from logging in and changing the router's DNS settings.
     
  6. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA

    Very good advice:thumb:
     
  7. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    My router password is 34 characters long. :cool:
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    :eek: I think that should suffice :D
     
  9. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Gaining access to the router to alter the DNS settings isn't the only issue via defaults.

    If your router happens to be one that is modifiable with Open-WRT, DD-WRT or Redboot an attacker could modify the router with a trojan image that looks no different than manufacturer.
    After which, password protecting it has no benefit.
     
  10. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    I changed heuristics settings to Max/Med/Med. I never have run them that low before, but on Max/High/High Prevx gave out another Age/Spread Criteria Violation on system32\drivers\hitmanpro35.sys during this morning's scan.
     
  11. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Dont forget to update the firmware too! That is as important as a good password!
     
  12. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Except this is what I read in the User Guide and what the tech support folks tell me...

     

    Attached Files:

  13. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Hi Searching_ _ _
    As far as a router being modifiable with Open-WRT, DD-WRT or Redboot, that applies only to wireless routers, correct?
     
  14. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Hi Habakuck
    I just had a Live Chat session with a Linksys support person, and I asked him to please advise me.

    I wrote,

    He replied,

    So I asked again in a different way. :)

    And he replied,

     
  15. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    I have HMP and I still have Prevx on Max/High/High and I don't get any hit's on that file when I do a scan! The only security programs I have running is NOD32 AV, Prevx, Look'n'Stop and WinPatrol Plus. Very confusing!

    I don't have HMP to scan on Boot up how about you?

    TH
     
  16. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    No HMP automatic scan after start up here.
    But a daily Prevx scheduled scan.
    Could the difference be that I am still running Prevx v3.0.1.65?
     
  17. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    Could be, maybe Joe can answer because there has been so many changes under the hood? Maybe give the Current Version a go to me it's very stable!

    TH
     
  18. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    Hi Page42,

    I have been testing Prevx with Max/Max/Max all day and did about 10 scans on two machines with no FP's hit's at all with V3.0.5.50 just to let you know!

    TH
     
  19. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,814
    The only way this was possible on DD-WRT was a exploit which has been long sense plugged. Tho I dont know about the other firmware makers.
     
  20. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This is definitely possible, although somewhat unlikely - we do have additional detection technology in 3.0.5.x and higher but it might be best if you could send over a scan log to report@prevxresearch.com so that I can see if we can implement a rule to trust the driver.

    Thanks! :)
     
  21. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    They are embedded OS images designed to replace your manufacturers embedded OS image. Open-WRT, DD-WRT or Redboot were designed to take advantage of wireless routers. If someone is experienced with designing embedded OS's for devices, they could create an embedded OS image for any device that is susceptible, wired/wireless/modem MIPS device.
    The tech is only talking about wireless security, which is what the firmware addresses.<--I am learning too>

    You misunderstand what I was saying. Maybe I explained poorly.

    First, computer compromised by malware (alureon; zlob; psyb0t).
    Second, attacker access the router via default passwords.
    Third, doesn't alter the DNS settings but modifies a DD-WRT, Open-WRT, Redboot
    to look like manufacturer ROS image (which is different than firmware) and installs in place of manufacturer Router OS image.

    Now the target's router is running a trojan embedded OS image.

    Once the router is subverted, target can change the password, update the firmware, securely erase the PC HDD, install and run malware cleaners, and attacker still has access.

    The device that connects to the internet is pwned.

    Modems have the same vulnerability issues that routers have, MIPS based of course, for now.

    What can you do?
    Access the device, if telnet is available, check the flash layout, where the embedded OS image is stored. Any suspicious image uploads that you didn't install, verify.
    There shouldn't be any uploaded images if you didn't upload one.
     
    Last edited: Jan 22, 2010
  22. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Susceptible, meaning weak or default password.
    Again, it goes back to passwords.
     
  23. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Next time it happens I will do that. But I have lowered heuristic settings to Max\Med\Med to try to alleviate the alerts. I prefer running the heuristic settings higher, but perhaps that is just me creating my own false sense of security. :)
     
  24. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    NO.
    Pretty much. Password protect before you connect, from a known clean system. ;)
    Weak or default passwords make it possible for them to access the device to modify it. DNS settings would be mild.
     
  25. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,814
    Again in the newer firmware this is not possible. DD-WRT makes you change the password as soon as the router is flashed and you try to access the other pages. He added this on purpose to stop people from having issues like this. So IN LESS you really want the DEFAULT password and force the router to take it. It wont have a default password.

    Also you might want to use a product before you talk about it. You might then learn what has been added and why I posted what I did. Again Newer firmware is not at risk, But older (2+ years ago) versions before changes were implemented are. Also keep in mind that people that use this type of firmware are NORMALLY are on the advance side of computing. If this ever happens to someone that knows what they are doing they would simply Jtag it, or even go as far as PIN Short the router to erase the flash then reload it back to the good firmware.
     
    Last edited by a moderator: Jan 23, 2010
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.