!!!TDL 3 ROOT KIT!!!!

[Unseen]

Hey guys, so came across something very nasty today.

Had a to do a virus removal today, on my run of combo fix it came up as a "root kit detected" so anyways gave me a path to the root kit etc..

 

This root kit is called "TDL 3" short for total data loss 3.

When you attempt to open the path to this root kit it WILL blue screen your system.

If you attempt to boot into safe mode with out it enabled it WILL blue screen you system.

 

After running combo fix, removing and restarting it was still there.

 

 

"TDL3 is the third generation of TDSS which uses rootkit technology to hide itself on a system by infecting drivers like atapi.sys, iastor.sys and a few others. Atapi.sys is a common target for this rootkit because it loads early during the boot process and is difficult to detect. Common symptons/signs of this infection include:

•Google redirection.

 

•Slowness of the computer and poor performance.

 

•BSODs that occur immediately after XP splash screen appears.

 

•infected atapi.sys and iastor.sys.

 

Here is a little more information."

 

http://virusvn.com/download/video-tutorial/tdl3_analysis_paper.pdf

 

 

 

This virus has just emerged in the "wild" and at this point even has virus removal companies stumped.

 

It is smart as it hides it self within your win32 drivers directory, when it is detected it shuts everything down and re-hides it self a BSOD will appear usually with an error pointing to "sptd.sys".

 

So just a heads up, the only known fix as of right now is data back up and format reload of the OS.

Edited December 30, 2010 by Unseen

[Chuckun]

I had this years ago actually.. Except mine was disguised as cvshost.exe.. So in taskmgr it looked like a win component.. but running hijackthis revealed that it was in /windows/system32/dj48gh48/ or something..

 

Anyway, a simple CMD @ startup worked for me:

 

del C:\WINDOWS\System32\dj48gh48\cvshost.exe /f worked. (forcing delete with the /f)

[Unseen]

I had this years ago actually.. Except mine was disguised as cvshost.exe.. So in taskmgr it looked like a win component.. but running hijackthis revealed that it was in /windows/system32/dj48gh48/ or something..

 

Anyway, a simple CMD @ startup worked for me:

 

del C:\WINDOWS\System32\dj48gh48\cvshost.exe /f worked. (forcing delete with the /f)

 

Sadly there is no way this time around, it will BSOD..

 

We've tried everything we could to get this thing off but we ended up booting into linux and pulling the data off.

[Chuckun]

Sadly there is no way this time around, it will BSOD..

 

We've tried everything we could to get this thing off but we ended up booting into linux and pulling the data off.

 

There's always a way >.< Just a matter of time until someone figures it out.. every function a program uses, you can also use.

 

it's probably installed as a driver.. so.. Boot > F8 > Safe Mode No Drivers & CMD Prompt > Sorted

[Unseen]

That I haven't tried, but... hrmm

BRB!

[Unseen]

That I haven't tried, but... hrmm

BRB!

 

BSOD :/

[SkyeDarkhawk]

Still have the OS CD for the system? Or even the i386 folder of the original system drivers?

Use the built in Windows utility: SFC.exe (System File Checker). This will check all current system files for integrity, and if it finds any that are the wrong version, wrong file size, or have a bad checksum, it will prompt for the original OS CD (or with a registry edit, the i386 folder) so it can replace the problem files with correct ones.

[Chuckun]

Do you have a windows DOS disc?

 

If you do, boot DOS and use the command I posted to delete the file it cannot BSOD then as the OS hasnt been loaded

[Unseen]

I don't seem to see one lying around my shop..

Do you have a website you could point me towards?

 

Still have the OS CD for the system? Or even the i386 folder of the original system drivers?

Use the built in Windows utility: SFC.exe (System File Checker). This will check all current system files for integrity, and if it finds any that are the wrong version, wrong file size, or have a bad checksum, it will prompt for the original OS CD (or with a registry edit, the i386 folder) so it can replace the problem files with correct ones.

 

Like I said before, any attempt to modify, replace.. delete causing immediate BSOD.

It is a NASTY root kit..

[SkyeDarkhawk]

According to BleepingComputer, grabbing the TDSSKiller and renaming it to some random .com file will bypass detections and allow the repairs to take place on restart, and then treating it as a regular infection after that with Malwarebytes and other tools.

 

You might want to check with Autoruns for any hidden shells or outside ControlSets.

[Chuckun]

I don't seem to see one lying around my shop..

Do you have a website you could point me towards?

 

Hmm well looking around it seems the latest DOS BootDisks you can get is for XP.. I guess with the whole 'recovery CD' thing since vista, there's no call for it - but i've never used those CDs =/ Are they the same (anyone know?)?

[Unseen]

I am going to give that a try, yet I have not seen a root kit like this before.

Usually I can get by with rkill and combo fix bam done!

 

I have something I can try, its called hirens boot cd, http://www.hiren.info/pages/bootcd.

 

This boot cd has EVERYTHING you need, i'm going to see what I can do DOS wise, but its seeming right now that the easy path is going to be data backup and format reload.

 

ugh, and a 2nd/3rd computer have just come in with it.

Edited December 30, 2010 by Unseen

[Aigle]

LOL, this is cool, I tried that root kit just after December 26 on a VM. I usually do this to learn how the root kits and virus attack a system. I tried different ways to remove that thing. It was logged in something near *.sys. Those are loaded with the system so I couldn't do anything with my workstation itself. This is the base of root kits. Once a system has some suspicious things happening, just forget about the system and boot another system. A little linux could work, but I suggest you BackTract Linux.

 

It's really cool for intrusion detection. Anyway, it took me a while to figure it out. After that, I tried to install a couple antivirus to see if they works well. Norton 360 detected it, but wasn't able to remove it. Kaspersky was actually able to remove it after installing a plugging... Malwarebytes was able to remove part of it, everything in the registry that it created and some random files it downloaded.

 

If you really want to have fun, create a VM with Windows XP all patched up, install Wireshark, make a snapshot and install that root kit. It's really funny how much personal information it can send. Another funny thing is looking at Procmon. It use IE like crazy. I couldn't figure out what exploit of IE it uses. However some of them has been released by Michael Zalewski with the Fuzz Testing tool. He thinks that China already knew about those exploits on the browser since a while. I don't remember the IP the bot was sending the info to. It would of been funny to see it was going there.

 

Anyway, you have a lot of stuff available to have fun with Trojan, Virus, Botnets, root kits, ...

If you have any info, just let us know here! I'm always up for a good fight with root kits

 

 

[JohnWayne]

upgrade to the latest TDL

 

Around 4.5 million computers have been caught in a botnet that some experts are calling as good as indestructible. Others, however, say that's an exaggeration.

 

The botnet in question is named the TDL-4. In many senses, it's like any other botnet: once a computer becomes infected with malicious software, it is now controlled by remote and used for nefarious purposes.

 

Many times the zombie PCs in a botnet (also known as a "botnet army") are used to send bogus page requests to websites in an attempt to knock them offline --; referred to as a "denial of service attack", or "DDoS attack". Such attacks have successfully knocked out big name tech websites, including Mastercard, Twitter, Facebook, and others in the past.

(Source: business-standard.com)