Results 1 to 9 of 9

Thread: TDL3: The Rootkit of All Evil?

  1. #1
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Shawnee country

    TDL3: The Rootkit of All Evil?

    TDL-3's been "in the wild" for some time (2008?) from everything I can tell,
    but this weekend was the first time I've run across it. I'm posting this
    because I was altogether unable to get a handle on this thing until I got
    this client's desktop on the bench, and to make others aware there are
    increasingly sophisticated rootkits out there.

    My SOP (standard operating procedure, aka SOB) simply was not fixing this
    thing. I'd run Spybot and Malwarebytes only to have them come up clean.
    Antivir would clean malicious files, a dozen in one day at one point, but also
    seemed unable to get to the root (no pun intended) of what was going on.
    Basically what was occurring was this client's PC would get reinfected, and
    was running slow as well as suffering redirects from a Google search page (a
    primary symptom it turns out).

    Combofix, my "last resort" app found it, supposedly removed it on a reboot,
    only to have the thing return. There's a dropper in there somewhere. Finally
    I found a Kaspersky tool, which is available here:


    Running TDSSkiller turned up the rootkit as HD0, which is unusual to say the
    least. I did run a system file check ("sfc /scannow" from the Windows shell)
    after finally getting this thing cleaned out as insurance. The computer I was
    working on was a 32 bit XP install, but this also infects 64 bit systems supposedly.

    ESET's got a whitepaper out on the rootkit and how it works. It apparently
    disguises itself as hardware.


    And here's another white paper from Kaspersky's techs:


    HTH, brokencrow
    Last edited by brokencrow; December 20th, 2010 at 08:05 PM.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  2. #2
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Shawnee country
    A quick read of some of the white papers on TDL-3 yields this:

    "On a side note: the dropper won't infect the system if it runs in a
    limited account or in an account with UAC activated."


    UAC is by no means bulletproof though, although setting it to its highest
    level appears to help (what a pain). Microsoft backed off on the UAC
    setting with Win7, defaulting the security level lower than it is in Vista.
    And of course, this does nothing on XP installs. TDL-3 appears to have
    been circulating since August of this year. There are two previous versions.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  3. #3
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Shawnee country
    However, on x64 platforms kernel-mode rootkits do not feel so at ease, both on x86 systems. This is one of the factors to choose the method of infection computer - infected MBR. Another factor is that most modern anti-virus technologies, primarily anti-rootkit technology, not ready to deal with threats to the x64 platform, and it strongly makes life easier for virus writers.

    "Armed to the teeth» TDL-4 is a very serious danger to users - and continues to evolve. Antivirus companies urgently need to build upon their own anti-rootkit components, as in the case of a rootkit infection data for ordinary users will simply leave no chances.


    Why do I get the feeling x86 systems are really fecked going forward?
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  4. #4
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Shawnee country
    Question: does formatting a HDD overwrite the MBR? Anybody know? This client
    had an MBR virus a couple of months back, and I used a utility called MBRfix from
    a PE disk to restore it. I've seen a few posts on the forums I've been thru that seem
    to indicate it is not unusual for a computer to become reinfected after formatting.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  5. #5
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Hi BC,

    We have had this issue a few times at clients of ours. I was able to get some samples to our LAB dept for this and it is available in our signature file , both official and beta.

    For these kinds of things , forget about cleaning it inside a windows shell. Boot up with our SAFE CD http://www.pandasecurity.com/homeuse...010/en/241.htm.

    It has the ability to pick up an IP from a DHCP source and then download our latest signature file and scan.

    Just remember that it is extremely difficult for AV vendors to mess around with the MBR and rootkits in general because one incorrect disinfection can corrupt the partition this forcing a format of the HDD.

    I will ask the manager at Panda Labs to give me some more information on this malware and will pass it onto you.


    This is what my LAB guys came back with.

    TDSS is a very complex rootkit. When it is loaded and hooks are installed on the system, is very difficult to attack it For this reason we decided the best way to attack this rootkit is attacking it before it was fully installed.
    The rootkit use lot of tricks to hide itself: it hides itself in disk sectors, it hooks dispatch routines of the miniport driver of the hard disk that is infected to hide the sectors, some versions infects system drivers instead of install its own driver to stay alive after rebooting, ...

    Some versions of the virus install a boot driver and other versions infects disk drivers: atapi.sys, iastor.sys,... This piece of code is responsible for loading the rest of the rootkit (stored in disk sectors). If we stop the rootkit before it was able to load the part stored in disk sectors, we will be able to clean the system from user mode.

    TDSS needs to wait until the file system was loaded to get the code stored in disk sectors. Sometimes it installs a file system notify routine with IoRegisterFsRegistrationChange. Other times (when it infects atapi, iastor,...) it hooks MJ_DEVICE_IO_CONTROL handler of the infected driver for waiting a io control (when that iocontrol is received TDSS knows the file system is loaded).

    How can we attack TDSS? We install a boot driver and try to load it as soon as possible (using SYSTEM\CurrentControlSet\Control\ServiceGroupOrder for example). We also install a callback with PsSetLoadImageNotifyRoutine so that we can analyze entrypoint of the loaded images searching for the rootkit code. If we find the code, we stop the execution at that moment (by overwriting the code in the entry point, or restoring the execution to the old entrypoint,...). Doing that the rootkit is out and we will be able to clean the system from user mode.
    Last edited by Cider; December 21st, 2010 at 02:18 PM.
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  6. #6
    Senior Member Wazz's Avatar
    Join Date
    Apr 2003
    Hitman Pro is the only proggie that I have found to clean it 100%......I also as a rule always reformat the MBR and Repair the Boot.....Happy Hunting!
    "It is a shame that stupidity is not painful" - Anton LaVey

  7. #7
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    SW MO
    Rootkits continue to become scarier and scarier. The research in hardware rootkits frightens the crap out of me.

    I have not heard of Hitman Pro... care to elaborate on some of the features or pros/cons?
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"


  8. #8
    Senior Member
    Join Date
    Dec 2003
    hitman pro is a cloud anti malware scanner i ran it out of curousity it even showed two old vmware program files that were affecting connectivity to my router, it is a 30 day trial version
    Last edited by romanticcowboy; December 26th, 2010 at 12:38 AM. Reason: i spelled cloud wrong

  9. #9
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Shawnee country
    My client had a TDL4 infection, and TDSSkiller (free download from Kaspersky) was quite effective at cleaning it up. This issue is two weeks out now and the computer has not been reinfected.

    The rootkit hid itself as HD0, that is, as a piece of hardware. I also ran a system file check (sfc /scannow) which I am often given to do on badly infected systems.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

Similar Threads

  1. The Problem of Evil
    By rcgreen in forum Cosmos
    Replies: 45
    Last Post: April 20th, 2007, 07:41 PM
  2. Axis of Evil
    By foxyloxley in forum Tech Humor
    Replies: 2
    Last Post: August 27th, 2004, 08:06 PM
  3. Hacked Red Hat 7.3
    By t3gilligan in forum *nix Security Discussions
    Replies: 18
    Last Post: February 28th, 2004, 02:31 AM
  4. Rootkit Scanner
    By Agent_Steal in forum *nix Security Discussions
    Replies: 9
    Last Post: December 13th, 2003, 07:34 PM
  5. Evil Overlord Plans
    By Terr in forum Tech Humor
    Replies: 4
    Last Post: September 6th, 2002, 01:39 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts