- Feb 22, 2007
- 16,240
- 7
- 76
I had to work on a pc today that had this malware and damn it was a pain to track down. I spent about 6 hours trying to just find the malware .
AV software didn't find anything wrong, but browser was being redirected, registry editor was blocked, but searching the files nothing I could find was a problem.
First thing I did was try to reverse engineer the program that infected the pc. I found that by looking at the time when the problem started. That was the first obstacle. They encrypted the malware so that it couldn't be disassembled. Basically it was a bunch of code that loaded at execution time in its own protected area of memory with a private decryption key.
Next I ran procmon and traced what it was accessing. It did some pretty amazing things .
First it checked for 32 or 64 bit os, searched through all the system file versions .
Then it began to change registry settings without needing admin approval. That really surprised me and it seems to be doing something new here.
Next it defeated windows patch guard protection and patched the system DLL files and replaced itself with the legit version. After that it began inserting itself into the hard drive controller drivers.
After gaining access it wrote itself to the mbr of the drive and proceeded to write files at the end of the drive that would be its own private storage area with an encrypted file system . Next it deleted itself from the normal windows file system and killed its own processes. A user now running virus detection software would find nothing. On reboot the malware loads code from the MBR that takes control of the drivers and allows it to execute without the OS even knowing it exist. From there it is free to do whatever it likes . When anything running on the system tries to find the malware the malware intercepts the call and tells the anti-malware that all is normal.
The system infected was windows 7 SP1 X64
There is a good analysis of the malware TDL4 here:
http://www.securelist.com/en/analysis/204792157/TDSS_TDL_4
The difference in that version and the one I encountered today is this one installed without needing admin rights. I can't determine how but it seems to be using buffer overflows and policy management . The section of code is encrypted but I sent it anyway to MS and kaspersky so maybe they can determine how this is being done.
AV software didn't find anything wrong, but browser was being redirected, registry editor was blocked, but searching the files nothing I could find was a problem.
First thing I did was try to reverse engineer the program that infected the pc. I found that by looking at the time when the problem started. That was the first obstacle. They encrypted the malware so that it couldn't be disassembled. Basically it was a bunch of code that loaded at execution time in its own protected area of memory with a private decryption key.
Next I ran procmon and traced what it was accessing. It did some pretty amazing things .
First it checked for 32 or 64 bit os, searched through all the system file versions .
Then it began to change registry settings without needing admin approval. That really surprised me and it seems to be doing something new here.
Next it defeated windows patch guard protection and patched the system DLL files and replaced itself with the legit version. After that it began inserting itself into the hard drive controller drivers.
After gaining access it wrote itself to the mbr of the drive and proceeded to write files at the end of the drive that would be its own private storage area with an encrypted file system . Next it deleted itself from the normal windows file system and killed its own processes. A user now running virus detection software would find nothing. On reboot the malware loads code from the MBR that takes control of the drivers and allows it to execute without the OS even knowing it exist. From there it is free to do whatever it likes . When anything running on the system tries to find the malware the malware intercepts the call and tells the anti-malware that all is normal.
The system infected was windows 7 SP1 X64
There is a good analysis of the malware TDL4 here:
http://www.securelist.com/en/analysis/204792157/TDSS_TDL_4
The difference in that version and the one I encountered today is this one installed without needing admin rights. I can't determine how but it seems to be using buffer overflows and policy management . The section of code is encrypted but I sent it anyway to MS and kaspersky so maybe they can determine how this is being done.
Last edited:
Facebook
Twitter