TDL4 Rootkit Bypasses Windows Code-Signing Protection

[Chiefcrowe]

http://threatpost.com/en_us/blogs/tdl4-rootkit-bypasses-windows-code-signing-protection-111610

 

[Modelworks]

Here is a breakdown on how it does what it does. I ran across this one a few months back when it was first released and everyone kept telling me there was no way it could run on 64 bit, I had to be wrong. I guess some people will have to eat those words now
http://www.virusbtn.com/pdf/conference_slides/2010/Johnson-VB2010.pdf

 

[tcsenter]

I just cleaned an XP system (laptop) with the previous version of DOS/Alureon.A rootkit/trojan that infects the MBR. Nothing would clean it, not MSSE, Norton, or MBAM. I deleted all partitions from inside Disk Management, created a new partition and formatted it (using the long format in Windows Vista) - twice. I booted using a Vista install CD and tried deleting the partitions, recreating then formatting. Hell, I even put the disk into an external enclosure so that the MBR wouldn't get loaded/hooked during boot, and tried everything again. It was still being detected!

I finally got rid of it by creating a bootable CD and running Hitachi's hard disk diagnostic utility that contains a full zero write and MBR erase feature. Nasty shit.

 

[mechBgon]

I just cleaned an XP system (laptop) with the previous version of DOS/Alureon.A rootkit/trojan that infects the MBR. Nothing would clean it, not MSSE, Norton, or MBAM. I deleted all partitions from inside Disk Management, created a new partition and formatted it (using the long format in Windows Vista) - twice. I booted using a Vista install CD and tried deleting the partitions, recreating then formatting. Hell, I even put the disk into an external enclosure so that the MBR wouldn't get loaded/hooked during boot, and tried everything again. It was still being detected!

I finally got rid of it by creating a bootable CD and running Hitachi's hard disk diagnostic utility that contains a full zero write and MBR erase feature. Nasty shit.

And people wonder why I suggest DBAN as a pre-reinstallation precaution... :sneaky:

Oh, and obligatory disclaimer to any readers who decide to use DBAN: disconnect all hard drives, flash drives, etc except the ones you want nuked. Srsly.

 

[heymrdj]

We've been battling ALOT of TDL3, i wrote an article on it a few months ago. Normally a FIXBOOT and FIXMBR will clear it, the downfall is that for alot of vista age systems (and xp of course) it wipes out the ability to get to a recovery partition. It's a hunter, doesn't come in on links or email, and very very few virus scanners can detect it or try to stop it. Hitman Pro is the best detector and eliminator of it, though it can't destroy the bootkit version of it, only the rootkit version, the MBR gets reinfected when it tries.

it's a bitch.

 

[airdata]

Hitman Pro is the best detector and eliminator ..

Thanks... I hadn't heard of hitman pro. I got it yesterday and used it on 1 previously infected offline system and 2 others !!!!

I'd previously used Vipre and MBAM and didn't have any luck.

 

[regnow]

Hi guys. This is very alarming to me. What kind of programs are you using to detect these kind of rootkits? I want to scan my computers to be safe.

Thanks!

 

[alkemyst]

TDSSKiller from Kapersky has been effective in finding and cleaning this.

Combofix sometimes reports it in the logs, but will not clean.

Also one of the things I have begun having to do is to run RKILL prior to MBAM.

The Virii are getting better written.

 

[tcsenter]

I actually tried TDSSKiller and one other (I forget which) infection-specific cleaner on the aforementioned case, and it didn't work. These cleaners don't work on the bootkit variants (its even in the readme notes for one of the cleaners).

 

[Pr0d1gy]

I've recently run into a nasty little bug myself, probably the same thing. ComboFix didn't find anything and failed to create a log everytime I ran it and TDSS found a virus in regedit.exe within 15 seconds but failed to be able to remove it everytime. I will probably have to run a boot disk to save this PC, which I absolutely must do. I wish a full format/fresh reinstall would fix these issues.

It's just hard to believe people that have such useful skills would waste so much time writing these garbage programs. It's like a doctor poisoning all his patients dude, just not smart.

 

[Lanyap]

I am working on an XP dekstop now with DOS/Alureon.A. It allowed HDD Doctor fake HD diagnostic to install. Still working on the cleanup. Either it or something else disabled almost all of the windows services. I had to search for a .reg file that would set all of them back to their default status.

Found an interesting activity. A known malicious computer is connecting to this desktop every hour and dropping a .js file into NetworkServices user temp directory which it then executes and dynamically builds a virus randomly named .exe. Norton NIS2011 catches it and deletes it before it can execute. I know I can block it but I want to figure out what it is.