Hitman Pro silences TDL3 rootkit ..........

Hi malware fighters,

“The Alurion or TDL3 rootkit is causing great problems for almost all av scanners”,
according to the maker of Hitman Pro.
See: http://rootbiez.blogspot.com/2009/11/rootkit-tdl3-why-so-serious-lets-put.html
The Hitman Pro 3 malware scanner is able to recognize mentioned malicious software,
and also capable to remove it.
Recently also PreVX warned against this rootkit, that is spreading like hayfire through the Internet.
Re: http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html

“The malcreants that made TDL3 use very advanced methods to circumvent av detection”,
according to Dutch developer, Mark Loman.
“The rootkit will lift on the back of a standard driver which may seriously complicate detection.”

The first variant of this rootkit, also known as Alureon,
appeared in the summer of the previous year and is still missed by numerous av solutions.
Last summer a second variant of the malware appeared,
while during November a third variant emerged.

TDL3 will register itself as a print processor.
The printer subsystem (spoolsv.exe), that has system rights,
will load this Print Processor accordingly.

TDL3 will go unnoticed

AV solution that also will monitor process behavior won’t flag these activities,
because the printer subsystem forms a trusted part of Windows.
As print processor TDL3 will now own full systemrights to infect the lowest system driver,
responsible for communication with the hard disk.

Whenever av solutions will chec on this driver, they will be presented with the original file,
so infection will go unnoticed.
Furthermore TDL3 will place an encrypted file system on the last sectors of the hard disk
on top of the existing traditional file system.
This encryption will make that these files can not be directly read from disk,
making detection by av solutions almost impossible.
The encryption file system comes in handy to download all sorts of further malware unto it
that come in from the Internet.

Other malcreants will cooperate with the makers of TDL3 to hide their malcreations in this way.
According to Surfright, the presenter of Hitman Pro,
the number of av solution that can detect a TDL3 at the moment is very limited.
“And the av solutions that can really remove it are almost zero.”

Hitman Pro 3 is able to scan machines from a pendrive, USB stick,CD/DVD, local hard drive or network disk
within a couple of minutes.
It can also be used as an addition to your existing av solution.
Scanning with it is free, so the effectivity of your current av solution can be verified also.
The 5MB anti-virus program can be downloaded from here: http://www.surfright.nl/en/downloads

Enjoy,

polonus

I loved the game ;D

The first variant of this rootkit, also known as Alureon

Am I right in saying that this is the same as TDSS?

Recently also PreVX warned against this rootkit, that is spreading like hayfire through the Internet. Re: http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html
Is it the same, or a successor? I never get all the different names... ::)

Film weren’t too bad either… :wink:

It is the heir apparent to TDSS and the files that it will piggyback on to date are :

eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys

With more being found daily. They can be detected by use of the MD5, against this HJT is not worth the download time as it will not show it

GMER will find the hook on the MBR but it will not be able to say whether it is CD emulation (Alcohol) or Virus

So a deep analysis tool will need to be run first to determine how to attack it

My 2p

Hi essexboy,

Thanks for the latest info on this. This might encourage users to make a MD5 profile of the files on their system at a stage where it is known to be non-compromised with MD5 Checksum Verifier 3.4 or check with against earlier checksum data of these system files.
As far as protection we discourage users against downloading so-called cracks or key-gens. These are known to be the major attack vector of this rootkit infection,

polonus

I’ve used PGP in the past for this, signing hundreds of system files, can’t tell if that was really useful… the free part of the program should still allow to do it. MD5 checking is of course a good method too, I like ExactFile…the only problem is, as reliable as such methods are, they suppose the user to check again and again, and most of us will just forget to do it or think it’s not that needed…anyway, a HIPS like Comodo Def+ might be more appropriate :wink: