Skip navigation.
Home

Research for new rootkit >TDSS****.sys & ~5 similarly rand DLLS

|

Hello,

I've got some samples right now of this nasty little rootkit.

Seems to be using higher level polymorphism and deletion prevention of some sort. When attacked using any type of anti-rootkit it seems to sense the attack. It will then proceed to disappear and render the antirootkit software useless against it, thus requiring about 3-5 programs to use for removal.

It's using a driver "TDSSserv" @ hklm\system\Current Control\Services\TDSSserv
hklm\system\Current Control\Services\TDSSserv.sys)

These have an imagepath and start and type. String and dword dword respectively.

Also using an HKLM\Software\TDSS with multiple values and subkeys of connections disallowed injector and version.

Currently as rootkitting goes most of this is a pain to see. Unfortunately to get a live sample going is nearly impossible. I've got all files that seem to be related to it but are not allowing me to get it up and running stably.

Please provide insight or files if you can. Thank you.

http://www.threatexpert.com/r

http://www.threatexpert.com/report.aspx?uid=cffa846b-93ba-438d-8715-0665b6cd9627

looks similar to what you have mentioned.

Hi, I think this rootkit

Hi,

I think this rootkit isnt new. Can you check whether it hooks NtFlushInstructionCache or not? If so, this rootkit has extra filter driver on filesystem also.

Hey guys thanks for the

Hey guys thanks for the responses.

It appears this is a reiteration on the old one. I'm working on peeking files for that ntfic that you mentioned. This one is odd, as it is using multiple files for control and re-assembly during use.

It's using the .sys portion and hooking as a module in svchost but is not particular to any one.

It's seems to create new .sys files of itsself if the service is deleted and the registry keys removed.

Pretty squirmy bugger if ya ask me.

What I'm really looking for is an installer for it.

I've crafted one using the files I've gotten off of some systems but as of yet cannot find an installer.

Thanks yall!

http://safeweb.norton.com/rep

http://safeweb.norton.com/report/show?name=91.203.92.121

http://www.malwaredomainlist.com/mdl.php?search=91.203.92.121

1 file grabbed 4 u.
http://www.offensivecomputing.net/?q=ocsearch&ocq=f4c455ff64c074c1a37db4e272c3d8e5

Enjoy,

MJ

Thanks a bunch. I've been

Thanks a bunch. I've been working with this one, I actually have a newer one but I'm trying to figure out it's packing method.

Basically from about 1.5 weeks I've been tracking them from version 2 test 2 up. The one attached here is 2.6 I've got a2.7 dropper. I've also got a few web addresses if anyone wants to try to get in. =)

Anyone play with any of these droppers with IDA Pro?

Could you give a links and bodies that you have?

Could you give a links to get it as real infection and could you give a bodies that you have (we interested to get a dropper)?
Mail to tsdep@online-solutions.ru as archive

Thank you!

--
Best protection against malware and rootkits
http://www.online-solutions.ru/en/

TDSS****.sys & ~5 similarly rand DLLS

I'm interested in getting the web address for tdss.

Here ya go!

Here is one we found today. It's fairly undetected 6/36 on VT.

91.203.92.121/files/42/v300/file.exe

dddc65a1caabd95ba32b3da6064dc96c

./lithium
MalwareDatabase

I'm pretty sure this

I'm pretty sure this infection starts with malicious PDF files. I didn't get enough time to work with it but I will update you guys on Monday.

./lithium
MalwareDatabase

Installer

Here's an installer I uploaded that will put a variant of this TDSS thing on a system. It only seems to work if Internet connectivity is available. I'm not sure if any of the other files people have posted here do the same thing.

I've found that once it has done it's thing, it causes WinXP machines to BSOD when booting into safe mode (this behavior hasn't been consistent from installation to installation), it shows DNS errors when accessing security related websites, protects it's own files from AV scanners, and blocks file scanning with RootkitRevealer and BlackLight. GMER finds it though.

All of the above mentioned actions are restored to normal operation if you go into Device Manager, show hidden devices, disable TDSSserv.sys under Non-PNP Devices, and reboot.

1c1959758dd3799d8d93d5522ae123cc

Yall are f*kn

Yall are f*kn awesome.

Eitherway, that last one doesn't seem to bring down the TDSS rootkit malware.

p.s. It does use zwFlushInstructionCache.

Also I've been working with it with IDA Pro, and Filealyze, and peek.

I'm having a bitch of a time getting even the dropper to disassemble.

It's jumping memory ranges if I load all the components (namely the data+text will cause it to jump)
If I load text alone it will accept my startpoint, but drops off when it referances the XOR eax, ebx routine.
the XOR routine is dynamically grabbing a memory address start point based on something. I find the first push which is the eax about 10-15 lines in, then ebx is a value assigned by some sort of subtraction of a popped eax with ... another value that is [xxx] (which ima noober at assy, but i assume from what i've seen it is not yet an actual value)

Either way, if anyone knows. Help me? lol

another 125f2d169b592b49ece9f

another

125f2d169b592b49ece9f5295d0b96d0

stopping anti rootkit tools

Any idea of the method its using to stop scanners scanning the raw disk data?

its using a drive lock of

its using a drive lock of some sort.

open handle.

TDSS

I recently got this on my system, and it took all night, but I think it is defeated. I have dual boot, so went into the other os to delete files, but it put a folder in allusers\applicationdata\microsoft\internetexplorer\dll
All the files that kept this thing coming back after I *thought* I deleted them were in there. I deleted this entire internetexplorer folder and sub folder thru the other os (vista) and then booted back to xp. It appears all my troubles are now gone.