Tag Archive | TDL4

Updated Details: Gozi Malware Back with More Money Stealing & Sophistication

It seems as if security firm, Trusteer, has identified a new variant of the Gozi financial malware. This one is more sophisticated and requires your attention. This new variant infects the Master Boot Record (MBR) on your computer — which is a boot sector software device that resides at the beginning of your hard drive that tells your computer how to boot up.

Just like TDL4, another MBR infector, this malware is hard to detect and remove. The main idea behind Gozi, though, is to wait for Internet Explorer to be launched on the victim’s machine, and malicious code is injected into the Process. This allows the malware to intercept web traffic, and inject its own code to webpages, misleading the user and collecting financial information (as well as social security numbers, birth dates, etc.).

Some speculate other developers have taken over, since apparently the main developer as well as accomplices were arrested not long ago. Looks like the new developers have a more sophisticated twist on the whole situation.

What’s different? The MBR rootkit component. This component makes the malware more sophisticated, because the removal of such threat can cause the computer to fail booting. The main problem at trying to fix infections in the MBR is that occasionally, the backup code that is placed in a different sector, is modified to not work when the infection locks in. This makes you have to keep it on the machine. However, it’s more effective to use private tools to help remove it.

One of the private tools, well sort of private, is the Kaspersky Rescue Disc. There are others that are available also, including TDSSKiller, which may or may not work out correctly.

If you need further help, we would love to assist. Please comment at any time!

ZeroAccess/Sirefef infects up to 9 million PCs

The ZeroAccess rootkit, some know as Sirefef, has grown its command and control servers over the past year. Now, it has spanned all around the globe to infect up to 9 million PCs. It’s botnet started growing rapidly once it hit one million infections, and now has multiplied it by 9.

Like the new TDL4 variant, it can create its own hidden partition, which can be problematic for PC users, especially because it normally is unknown that a hidden partition exists. Tools like TDSSKiller, though, can see through its disguise. There are two total botnets, each for a 32-bit and 64-bit version (totaling 4 botnets), and usually distributed by exploits.

Fast facts:

The latest versions seem to have no kernel mode components, therefore they do not infect drivers like previously did. It instead uses usermode components and drops their own GUID (CLSID) in the following locations:

  • c:\windows\installer\{GUID STRING}
  • c:\users\<user>\AppData\Local\{GUID STRING}
  • C:\Windows\System32\config\systemprofile\AppData\Local\{GUID STRING}
  • C:\RECYCLER\S-x-x-x\${RANDOM STRING}

It also parks its own infections in these locations:

  • C:\Windows\assembly\GAC\Desktop.ini
  • If on x64: c:\windows\assembly\GAC_32\Desktop.ini AND c:\windows\assembly\GAC_64\Desktop.ini
  • Infects c:\windows\system32\services.exe

For the ports that it uses for each version of the botnet:

  1. Port numbers 16464 and 16465 are used by one botnet for both 32 and 64 bit platforms.
  2. Post numbers 16470 and 16471 are used by the other botnet for both platforms.

It commits two types of fraudulent activity:

  1. Click fraud
  2. Bitcoin mining

 


Get the review of Malwarebytes’ Anti-Malware

New TDL4 variant affecting government, ISPs, etc.

TDL4 is the newest type of the TDSS rootkit, which is a classic rootkit malware/virus that has been infecting computers and constructing a botnet since 2006. Now, with its new dangerous properties, it has the ability to sneak in to government agency computers, ISPs, and even popular companies. It uses stealthy properties and exploits to get itself installed, where it can hide itself in a different partition on the computer or create its own partition.

The new threat, which has been assigned the generic name DGAv14 until its true nature is clarified, has affected at least 250,000 unique victims so far, including 46 of the Fortune 500 companies, several government agencies and ISPs, the Damballa researchers said in a research paper released Monday.

In collaboration with researchers from the Georgia Tech Information Security Center (GTISC), the Damballa researchers registered some of the domain names the new threat was attempting to access and monitored the traffic it sent to them.

TDL4, also known as TDSS, is considered to be one of the most sophisticated malware threats ever created and used by cybercriminals – without counting threats like Stuxnet, Flame,Gauss and others that are believed to have been created by nation states for cyberespionage purposes.

TDL4 is part of a category of malware known as bootkits – boot rootkits – because it infects the hard disk drive’s Master Boot Record (MBR), the sector that contains information about a disk’s partition table and the file systems. The code that resides in the MBR is executed before the OS actually starts.

Much of this information pulled from TechWorld.

 

One of the newer partition infections includes a dropper located at c:\windows\svchost.exe

 

Protect your computer from rootkits by the makers of TDSSKiller, Kaspersky Lab for only $59.95 (a $79.95 value):

 

Kaspersky Internet Security 2012

%d bloggers like this: