Jump to content

!!!TDL 3 ROOT KIT!!!!

Unseen

By Unseen
in Internet, Network & Security

 Share

Recommended Posts

Unseen Newbie

Unseen

Posted
Posted (edited)

Hey guys, so came across something very nasty today.

Had a to do a virus removal today, on my run of combo fix it came up as a "root kit detected" so anyways gave me a path to the root kit etc..

 

This root kit is called "TDL 3" short for total data loss 3.

When you attempt to open the path to this root kit it WILL blue screen your system.

If you attempt to boot into safe mode with out it enabled it WILL blue screen you system.

 

After running combo fix, removing and restarting it was still there.

 

 

"TDL3 is the third generation of TDSS which uses rootkit technology to hide itself on a system by infecting drivers like atapi.sys, iastor.sys and a few others. Atapi.sys is a common target for this rootkit because it loads early during the boot process and is difficult to detect. Common symptons/signs of this infection include:

•Google redirection.

 

•Slowness of the computer and poor performance.

 

•BSODs that occur immediately after XP splash screen appears.

 

•infected atapi.sys and iastor.sys.

 

Here is a little more information."

 

http://virusvn.com/download/video-tutorial/tdl3_analysis_paper.pdf

 

 

 

This virus has just emerged in the "wild" and at this point even has virus removal companies stumped.

 

It is smart as it hides it self within your win32 drivers directory, when it is detected it shuts everything down and re-hides it self a BSOD will appear usually with an error pointing to "sptd.sys".

 

So just a heads up, the only known fix as of right now is data back up and format reload of the OS.

Edited by Unseen
Chuckun Newbie

Chuckun

Posted
Posted

I had this years ago actually.. Except mine was disguised as cvshost.exe.. So in taskmgr it looked like a win component.. but running hijackthis revealed that it was in /windows/system32/dj48gh48/ or something..

 

Anyway, a simple CMD @ startup worked for me:

 

del C:\WINDOWS\System32\dj48gh48\cvshost.exe /f worked. (forcing delete with the /f)

Unseen Newbie

Unseen

Posted
  • Author
Posted

I had this years ago actually.. Except mine was disguised as cvshost.exe.. So in taskmgr it looked like a win component.. but running hijackthis revealed that it was in /windows/system32/dj48gh48/ or something..

 

Anyway, a simple CMD @ startup worked for me:

 

del C:\WINDOWS\System32\dj48gh48\cvshost.exe /f worked. (forcing delete with the /f)

 

Sadly there is no way this time around, it will BSOD..

 

We've tried everything we could to get this thing off but we ended up booting into linux and pulling the data off.

Chuckun Newbie

Chuckun

Posted
Posted

Sadly there is no way this time around, it will BSOD..

 

We've tried everything we could to get this thing off but we ended up booting into linux and pulling the data off.

 

There's always a way >.< Just a matter of time until someone figures it out.. every function a program uses, you can also use. :)

 

it's probably installed as a driver.. so.. Boot > F8 > Safe Mode No Drivers & CMD Prompt > Sorted :)

SkyeDarkhawk Newbie

SkyeDarkhawk

Posted
Posted

Still have the OS CD for the system? Or even the i386 folder of the original system drivers?

Use the built in Windows utility: SFC.exe (System File Checker). This will check all current system files for integrity, and if it finds any that are the wrong version, wrong file size, or have a bad checksum, it will prompt for the original OS CD (or with a registry edit, the i386 folder) so it can replace the problem files with correct ones.

Chuckun Newbie

Chuckun

Posted
Posted

Do you have a windows DOS disc?

 

If you do, boot DOS and use the command I posted to delete the file :) it cannot BSOD then as the OS hasnt been loaded :)

Unseen Newbie

Unseen

Posted
  • Author
Posted

I don't seem to see one lying around my shop..

Do you have a website you could point me towards?

 

Still have the OS CD for the system? Or even the i386 folder of the original system drivers?

Use the built in Windows utility: SFC.exe (System File Checker). This will check all current system files for integrity, and if it finds any that are the wrong version, wrong file size, or have a bad checksum, it will prompt for the original OS CD (or with a registry edit, the i386 folder) so it can replace the problem files with correct ones.

 

Like I said before, any attempt to modify, replace.. delete causing immediate BSOD.

It is a NASTY root kit..

SkyeDarkhawk Newbie

SkyeDarkhawk

Posted
Posted

According to BleepingComputer, grabbing the TDSSKiller and renaming it to some random .com file will bypass detections and allow the repairs to take place on restart, and then treating it as a regular infection after that with Malwarebytes and other tools.

 

You might want to check with Autoruns for any hidden shells or outside ControlSets.

Chuckun Newbie

Chuckun

Posted
Posted

I don't seem to see one lying around my shop..

Do you have a website you could point me towards?

 

Hmm well looking around it seems the latest DOS BootDisks you can get is for XP.. I guess with the whole 'recovery CD' thing since vista, there's no call for it - but i've never used those CDs =/ Are they the same (anyone know?)?

Unseen Newbie

Unseen

Posted
  • Author
Posted (edited)

I am going to give that a try, yet I have not seen a root kit like this before.

Usually I can get by with rkill and combo fix bam done!

 

I have something I can try, its called hirens boot cd, http://www.hiren.info/pages/bootcd.

 

This boot cd has EVERYTHING you need, i'm going to see what I can do DOS wise, but its seeming right now that the easy path is going to be data backup and format reload.

 

ugh, and a 2nd/3rd computer have just come in with it.

Edited by Unseen
Aigle Newbie

Aigle

Posted
Posted

LOL, this is cool, I tried that root kit just after December 26 on a VM. I usually do this to learn how the root kits and virus attack a system. I tried different ways to remove that thing. It was logged in something near *.sys. Those are loaded with the system so I couldn't do anything with my workstation itself. This is the base of root kits. Once a system has some suspicious things happening, just forget about the system and boot another system. A little linux could work, but I suggest you BackTract Linux.

 

It's really cool for intrusion detection. Anyway, it took me a while to figure it out. After that, I tried to install a couple antivirus to see if they works well. Norton 360 detected it, but wasn't able to remove it. Kaspersky was actually able to remove it after installing a plugging... Malwarebytes was able to remove part of it, everything in the registry that it created and some random files it downloaded.

 

If you really want to have fun, create a VM with Windows XP all patched up, install Wireshark, make a snapshot and install that root kit. It's really funny how much personal information it can send. Another funny thing is looking at Procmon. It use IE like crazy. I couldn't figure out what exploit of IE it uses. However some of them has been released by Michael Zalewski with the Fuzz Testing tool. He thinks that China already knew about those exploits on the browser since a while. I don't remember the IP the bot was sending the info to. It would of been funny to see it was going there.

 

Anyway, you have a lot of stuff available to have fun with Trojan, Virus, Botnets, root kits, ...

If you have any info, just let us know here! I'm always up for a good fight with root kits :D

 

 

  • 6 months later...
JohnWayne Newbie

JohnWayne

Posted
Posted

upgrade to the latest TDL :huh:

 

Around 4.5 million computers have been caught in a botnet that some experts are calling as good as indestructible. Others, however, say that's an exaggeration.

 

The botnet in question is named the TDL-4. In many senses, it's like any other botnet: once a computer becomes infected with malicious software, it is now controlled by remote and used for nefarious purposes.

 

Many times the zombie PCs in a botnet (also known as a "botnet army") are used to send bogus page requests to websites in an attempt to knock them offline --; referred to as a "denial of service attack", or "DDoS attack". Such attacks have successfully knocked out big name tech websites, including Mastercard, Twitter, Facebook, and others in the past.

(Source: business-standard.com)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

About Us

We are glad you decided to stop by our website and servers. At Fearless Assassins Gaming Community (=F|A=) we strive to bring you the best gaming experience possible. With helpful admins, custom maps and good server regulars your gaming experience should be grand! We love to have fun by playing online games especially W:ET, Call of Duty Series, Counter Strike: Series, Minecraft, Insurgency, DOI, Sandstorm, RUST, Team Fortress Series & Battlefield Series and if you like to do same then join us! Here, you can make worldwide friends while enjoying the game. Anyone from any race and country speaking any language can join our Discord and gaming servers. We have clan members from US, Canada, Europe, Sri Lanka, India, Japan, Australia, Brazil, UK, Austria, Poland, Finland, Turkey, Russia, Germany and many other countries. It doesn't matter how much good you are in the game or how much good English you speak. We believe in making new friends from all over the world. If you want to have fun and want to make new friends join up our gaming servers and our VoIP servers any day and at any time. At =F|A= we are all players first and then admins when someone needs our help or support on server.

Player Gaming Stats for =F|A= Servers.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept