dslreports logo
uniqs
993

Cudni
La Merma - Vigilado
MVM
join:2003-12-20
Someshire
kudos:13

Cudni

MVM

TDL4 rootkit is coming back stronger than before

»www.prevx.com/blog/172/T ··· ore.html
"..
TDL4 authors didn't wait too long and just released an update to its TDL4 rootkit code, making a number of important changes that are able to bypass the patch issued by Microsoft and a number of TDL rootkit scanners available online. Looks like this new TDL4 dropper is still in development stage because there are some bugs in the dropper code.
.."

for... things that go bump in the night.... have a hammer ready

seriously though as they are clever so we need to be cleverer

Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2011/12

Triple Helix
Troll Hunter
Premium Member
join:2007-07-26
Oshawa, ON
kudos:7
·Rogers Hi-Speed

Triple Helix

Premium Member

64bit security didn't last long as in this case! Thanks Cudni!

succesfully bypassing all the security countermeasures implemented in the 64 bit version of Windows that should prevent the loading of unsigned drivers and every kind of patch to the Windows kernel.



TH
--
Triple Helix - VIP Member Of ASAP - (Alliance of Security Analysis Professionals™) - Official Prevx Support Forum Helper!
dsilvers
join:2009-05-17
Canyon Lake, TX

dsilvers to Cudni

Member

to Cudni
Looks like another round of TDL4 gearing up. It looked like development had stalled for a while. Bypasses Microsoft patch. New 32 and 64 bit versions. Buggy but I am sure they will fix it for us.

»www.virustotal.com/file- ··· 04345866

File name: dll.exe
Submission date: 2011-05-02 14:17:46 (UTC)
MD5 : 10a7fe7d29087c3060ddc74c43db1db9
Result: 9 /41 (22.0%)

»www.virustotal.com/file- ··· 04346701

File name: dll.exe
Submission date: 2011-05-02 14:31:41 (UTC)
MD5 : 25ed9887d397535dc5b7b0f2edb91f87
Result: 4 /41 (9.8%)

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC
kudos:18

siljaline to Cudni

Premium Member

to Cudni
From the ESET Threat Threat Blog TDL4 revisited

Link Logger
MVM
join:2001-03-29
Calgary, AB
kudos:3
·TELUS

Link Logger to Cudni

MVM

to Cudni
In the game of cat and mouse, the cat always has the advantage as all they have to do is react, so malware authors always have the advantage. The game goes on. Sometimes I think of it like the battle between Jack Sparrow and Captain Barbossa (and might I say Geoffrey Rush is magnificence as Captain Barbossa) :

Barbossa: So what now, Jack Sparrow? Are we to be two immortals locked in an epic battle until Judgment Day and trumpets sound?

Jack Sparrow: Or you could surrender.

»www.youtube.com/watch?v= ··· SbQtax2s


Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

DrStrange
Technically feasible
Premium Member
join:2001-07-23
West Hartford, CT
kudos:1

DrStrange to Cudni

Premium Member

to Cudni
I had the dubious pleasure of removing this from an old HP desktop Friday evening.

Since none of the standard rootkit removers would touch it, I had to killbox atapi.sys and re-install it from the recovery console.

After that, the standard tools found and removed the rest of the garbage.
your moderator at work

Triple Helix
Troll Hunter
Premium Member
join:2007-07-26
Oshawa, ON
kudos:7
·Rogers Hi-Speed

Triple Helix to Cudni

Premium Member

to Cudni

Re: TDL4 rootkit is coming back stronger than before

Hitman Pro Blog: Hitman Pro 3.5.8 build 121 is able to detect and remove the latest TDL4 bootkit variant. »hitmanpro.wordpress.com/ ··· ability/

TH