Research for new rootkit >TDSS****.sys & ~5 similarly rand DLLS
I've got some samples right now of this nasty little rootkit.
Seems to be using higher level polymorphism and deletion prevention of some sort. When attacked using any type of anti-rootkit it seems to sense the attack. It will then proceed to disappear and render the antirootkit software useless against it, thus requiring about 3-5 programs to use for removal.
It's using a driver "TDSSserv" @ hklm\system\Current Control\Services\TDSSserv
These have an imagepath and start and type. String and dword dword respectively.
Also using an HKLM\Software\TDSS with multiple values and subkeys of connections disallowed injector and version.
Currently as rootkitting goes most of this is a pain to see. Unfortunately to get a live sample going is nearly impossible. I've got all files that seem to be related to it but are not allowing me to get it up and running stably.
Please provide insight or files if you can. Thank you.