Skip navigation.
Home

TDL3 - Why so serious? Let's put a smile on that face ...

Abstract:

TDL or TDSS family is a famous trojan variant for its effectiveness and active technical development. It contains couple compoments: a kernel-mode rootkit and user-mode DLLs which performs the trojan operation such as downloaders, blocking Avs, etc,. Since the rootkit acts as an “injector” and protector for the usermode bot binaries, almost all technical evolutions of this threat family focus on rootkit technology so as to evade AV scanners.

As in its name, TDL3 is 3rd generation of TDL rootkit which still takes its aims at convering stealthy existences of its malicious codes. Beside known features, this threats is exposed with a couple of impressive tricks which help it bypassing personal firewall and staying totally undetected by all AVs and ARKs at the moment. These aspects and techniques will be discussed in more detail in the sections that follow.

You can read the full article here:

http://blog.cmclab.net/wordpress/?p=37
Mirror: http://rootkit.com/newsread.php?newsid=979

And PDF version:
http://blog.cmclab.net/files/npson/pdf/tdl3_analysis_paper_ed.rar
password: tdl3_analysis

I hope this analysis would shed some light on darkest part of this brand new and truly effective & widespread rootkit/bot. I'm looking forward hearing feedback and discussion from you guys

Best Regards,

-Nguyen Pho Son aka thug4lif3

sample

Im looking for a sample of TDL3, any help ?
The article is nice by the way

TDL3 new sample

Just uploaded one of the most recent variants. Name is codec.exe. Search on the MD5:
81347b5591a59d79ed245a5848c43a0f

It's Mr Son again!!!

Mr Son.
I really admire you because i saw that when anyone want to see a document of virus, and you'll be there. ^!^