Skip navigation.

sk1tt1sh's blog

Code injection

| |

Not a new concept for sure.

A new wave of more difficult to remove malware? A new way of stealing information? Maybe.

In the last 6 months to a year it seems code injection and file infectors have "opened a new door". It's still seems to be the "replicate and destroy" but recently with infections like "Scribble" "sality" "alman" and "virut" some changes have begun to show in this "angle of attack".

Now instead of just replicating out of control the infections are replicating crazily, but also bringing down fake-alerts and other nasty things.

Research for new rootkit >TDSS****.sys & ~5 similarly rand DLLS



I've got some samples right now of this nasty little rootkit.

Seems to be using higher level polymorphism and deletion prevention of some sort. When attacked using any type of anti-rootkit it seems to sense the attack. It will then proceed to disappear and render the antirootkit software useless against it, thus requiring about 3-5 programs to use for removal.

It's using a driver "TDSSserv" @ hklm\system\Current Control\Services\TDSSserv
hklm\system\Current Control\Services\TDSSserv.sys)

These have an imagepath and start and type. String and dword dword respectively.


| |

Hi, I'm wondering if there are any purityscan droppers available. Also looking to find out what the exploit is that is used to use invalid Ƨharacters for the filenames.

Anyone with info please let me know.

Thanks in advance.

Troj/Win32-virtumonde *

The naming convention on this sucker is quite large so it makes it difficult to classify the exact variant as that is a quite large field as well.

Either way I'm looking at one on a remote system right now and its actually hooking about 13 process. Its very difficult to kill since its running under so many processes. ordlix.dll I've got all the other loaded dlls out of the system and have prevented everything from loading up. Per request I can submit this dll if anyone would like to mess with it.

Syndicate content