The Evolution of TDL: Conquering x64

Discussion in 'other security issues & news' started by gambla, Feb 21, 2013.

Thread Status:
Not open for further replies.
  1. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    Hi,
    i stumbled on this very good article of 2011 (?). I wonder how to detect and counter the self-defense mechanisms ?

    Could this probably be done only offline using a linux rescue-cd ?

    Is such a hidden file system detectable at all ?
     

    Attached Files:

  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Does the article describe how the user gets infected with TDL?


    ----
    rich
     
  3. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    As far as i remember, it doesn't. Using a proper setup and experience, the dropper should be no problem for us, as well as any signs of the payloads malicious activities. But all i'm interested in is such a worst case scenario.
     
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    I remember that HitmanPro had added detection for such a hidden file system through miniport driver hooking back then, I found a blog about it with more explanation:
    http://hitmanpro.wordpress.com/2011/06/16/cloud-assisted-miniport-hook-bypass/
     
  5. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    thanks mate...
     
Thread Status:
Not open for further replies.