TDL4 rootkit now stronger than before

Discussion in 'malware problems & news' started by CloneRanger, May 2, 2011.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    http://www.prevx.com/blog/172/TDL-rootkit-is-coming-back-stronger-than-before.html
     
  2. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    Thanks for sharing.
     
  3. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    Time to get another patch out MS, our 64bit immunity was short lived.
     
  4. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    TDL4 bootkit reinstates 64-bit infection capability

    http://hitmanpro.wordpress.com/2011/05/02/tdl4-bootkit-reinstates-64-bit-infection-capability/
     
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Still vulnerable though, to a variety of methods.
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Well, the dropper first has to execute before it can install the rootkit. From an earlier blog Marco refers to:

    He also mentions that the droppers have been seen in exploit kits.

    I found this one, the site uses the Black Hole Kit, and it serves up Java and PDF exploits.
    The random long file name 0.###...exe is similar to TDL4 filenames I've seen in some of the hijack forums, although I can't be sure.

    It doesn't really matter, though - - an executable is an executable.

    Web_1IE-java.gif

    Now, exploit kit stuff is usually triggered by javascript, and this is no different. Some snippets of the code:

    Web_1code.gif

    So, if my javascript is white listed per site, and plugins disabled, neither of those exploits can trigger,
    and the page just sits there doing nothing:

    web_1opera.gif

    I mention this because the tendency is to focus mainly on the impressive sophistication of today's malware,
    rather than on the (usally simple) preventative measures!

    Marco refers to another attack vector in a previous blog:

    No further comment on that is needed!

    regards,

    -rich
     
    Last edited: May 2, 2011
  7. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    Thanks for read :)
     
  8. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    This TDL4 rootkit sounds bad, anyone know how the detection rate of this rootkit is? Any MD5 hashes of the file?
     
  9. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    At kernelmode.info, you can find some VirusTotal dll scan results, including hashes.
    Their 'Malware thread; Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)' --http://www.kernelmode.info/forum/viewtopic.php?f=16&t=19&start=400--
     
  10. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    "unfortunately", the site that Rmus refers to is not functioning anymore so i could not play with the virus. ;)
     
  11. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Mmm probably true.

    I suppose users unfortunately getting infected with tdl highlights the failure, possibly combined with a lack of knowledge of their protection methods.
     
Loading...
Thread Status:
Not open for further replies.