Tag Archives: TDSS

TDL3 and ZeroAccess: More of the Same?

Posted on by

By Marco Giuliani

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

In our previous technical analysis of the ZeroAccess rootkit, we highlighted how it acts as a framework by infecting the machine — setting up its own private space in the disk, first through a dedicated file system on the disk, and more recently by using a hidden and locked directory. This is where the rootkit stores the modules it downloads from the command and control servers. Until now, the plugins we’ve monitored have been ad-clickers and search engine hijackers.

We have also noted how the ZeroAccess rootkit acts very similar to the TDL3 rootkit, either by infecting a random system driver, using its own file system to store its plugins or by filtering the disk I/O by analysing the SCSI packets – though in a pretty different way. It’s more effective in the TDL3 rootkit and less effective in the ZeroAccess rootkit, however ZeroAccess has many more self-protection mechanisms in place.

While analyzing the ZeroAccess rootkit, I’ve always had the feeling it was inspired by the TDL3 rootkit. But while looking at the latest updates of it I’ve found something pretty interesting: The ZeroAccess team is looking at TDL rootkit as an enemy that needs to be defeated. The questions remains, is there a link between the two rootkits? We suspect the answer is yes.

Continue reading

Removing Popureb Doesn’t Require a Windows Reinstall

Posted on by

By Marco Giuliani

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Last Wednesday, Microsoft published a blog post detailing a significant update to a piece of malware named Popureb. The malware adds code to the Master Boot Record, or MBR, a region of the hard disk that’s read by the PC during bootup, long before the operating system has had a chance to get started. Researchers sometimes refer to these kinds of malware as bootkits, or a rootkit which loads at such a low level during the boot process that it is invisible to the operating system, and therefore very difficult to remove.

Microsoft researcher Chun Feng detailed some of the new features of Popureb.E, which includes a very low-level hook into the Windows driver responsible for disk writes and reads. When the driver on an infected system detects an attempt to write changes into the MBR — the kinds of changes a repair tool might try to make — it simply changes the command from write to read, effectively neutering any kind of tool running within Windows that might try to fix the infection.

(Update 2011-07-08: We’ve published a free command line tool that can remove Popureb.E from the master boot record of an infected computer.)

Microsoft’s initial cleanup guidance on Popureb.E was pretty drastic, and more than a little scary: Full removal of the bootkit requires a full reinstall of Windows, wiping out anything currently on the hard drive. We don’t think this is the case, and the Microsoft folks seem to have moderated their advice to include some manual fixes using the recovery console.

While the whole concept behind the Trojan is valid and technically powerful, the practical implementation of the malware is not as valid as the idea behind it. What follows is a fairly technical write-up that describes both the problem, and oneĀ  solution we’ve come up with.

Continue reading

Spammed Trojan Won’t Run Under Windows XP

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

While it is far from the first Trojan ever to simply fail to execute under Windows XP, it definitely caught our eye that a variant of Trojan-Downloader-Tacticlol distributed last week in a spam campaign only fully executed under Windows Vista or newer operating systems. It may have been just a fluke, but repeated tests with both a virtual machine and real hardware running Windows XP at various patch levels showed that the Trojan we received attached to a spam message simply quit when executed in an XP environment, but ran smoothly and did all its planned dirty work on a Windows Vista testbed.

The Trojan, which is capable of causing a devastating malware infection, drops a DLL with an odd name made up of random letters into the system32 folder, then registers the DLL so it loads the next time the computer boots up. After a reboot, it kicks into full swing, pulling down a variety of malware installers.

The spam message (we got a bunch of different variations, all with the same attachment) came from a variety of falsified return addresses. The message, with a subject of Statement of fees 2009/2010 contains an utterly incomprehensible body, which reads, in part: “The accomodation is dealt with by another section and I have passed your request on to them today.” It looks very similar to a message I get from the toll road authority here in Colorado that uses electronic toll collection. The real entity emails a statement every so often with an attached PDF, though the real toll road statement doesn’t appear to come from the domains “reclusivebillionaire.com” or “reelsolutions.com.” Nice try, sparky.

More interestingly, though, is the idea that this Trojan, which is so prevalent and widely distributed, may signal the start of a trend where malware authors begin turning away from XP as the dominant operating system they target.

Continue reading