TDSS/TDL3 RK's investigation and analysis

Discussion in 'malware problems & news' started by CloneRanger, Jun 26, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    TDSS Rootkits analysis

    http://www.securelist.com/ru/analysis/208050642/TDSS

    Lots of background info in there. I used http://translate.google.com/translate

    Another analysis


    TDL3:*The*Rootkit*of*All*Evil?**
    *
    http://www.eset.com/resources/white-papers/TDL3-Analysis.pdf


    They are still at it today, and using Fake SSL Certs once again.

    t1.gif

    t2.gif

    t3.gif

    Managed to grab the MZ etc source from one of the www's and converted it to TDL.exe

    tdl.gif

    VT was down ? and not just the HTTPS version, as was http://virscan.org ? so i used http://virusscan.jotti.org and http://viruschief.com Also scanned locally with Avira and Prevx = NO detects from ANY so it's definately a fresh nasty :eek:

    Now on the way to vendors :D
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Cudni

    Hi, the link you gave leads to the PDF one i listed ;)

    Thanks for thinking along the same lines though, always good to get nice info :thumb:
     
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Always. And my link, although in error, will serve as redundancy in case anybody misses it at first ;)
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Cudni

    Indeedy weedy ;) :thumb:
     
  6. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Thanks for the links:thumb:
     
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    The Case of TDL3

    Ace from our Kuala Lumpur lab has written a technical white paper on the internals of the highly advanced TDL3 trojan. The paper goes deep into the features of this advanced backdoor/rootkit.

    http://www.f-secure.com/weblog/archives/00001976.html
     
Thread Status:
Not open for further replies.