Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDL4 massive infection


  • Please log in to reply
6 replies to this topic

#1 crazypctech2010

crazypctech2010

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 15 December 2010 - 10:19 PM

Hello experts

I will forewarn you this is going to be the oddest request you have probably ever gotten... I work for multiple educational institutions supporting their pc's We are getting hit left and right with the TDL4 rootkit with combinations of Whitesmoke and other malware. The problem is I need to find some of the websites these are coming from and also develop a network wide detection tool so that we can identify all of the computer infected since it takes several days or weeks before symptoms become apparent in the meantime this thing is hiding out.

I know how to remove the malware and rootkit. However I need a few websites that I can purposely visit to purposely infect a test machine so that I can track changes to the system such as registry, files, folders etc. using regshot and some other comparison programs I have. This way if I can identify a registry key or something else for this thing that it creates that is unique I can write a tool in vb.net to go out onto our network and report back all of the infected PC's seeing as how Symantec and Etrust are not doing their job. My boss has instructed me to find how we can block it at the firewall, find the most likely websites it is coming from and to create a tool to identify all of the infections on the network.

So what I need from you guys here and you can PM if you need to is websites that are known to infect computers with the TDL4/TDSS/Alueron Rootkit.

Its a tall order and I know generally these boards are for home users, but these are the only type of anti malware boards available at all so I have no place else to pose this question.

Thank You for your time.

BC AdBot (Login to Remove)

 


#2 crazypctech2010

crazypctech2010
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 18 December 2010 - 02:35 PM

Is their no one that can help me ?

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:28 AM

Posted 20 December 2010 - 11:12 PM

The Virus, Trojan, Spyware, and Malware Removal Logs forum where you started this topic is used to post logs for analysis. However, you did not follow the required instructions and did not include a log so your thread was moved to to this forum.

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved again. This means it will fall in line behind any others posted that same day.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 crazypctech2010

crazypctech2010
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 21 December 2010 - 10:05 PM

quietman7,

I do not believe you read my posting and are simply replying with a canned speech without reading everything I wrote. I clearly explained that I'm not looking to post log files and have my issue resolved I know it is the TDL4 rootkit and I know how to remove it using the tdsskiller.exe from Kaspersky. I was looking for a place where I could get the TDSS file from to purposely infect a test machine. I was also looking for known websites so I could create a blocklist at the router.

The reason being is I am attempting to see if I can make some sort of tool that searches all of the networked computers for the presence of this threat since currently their is no tool that can do this and it is impossible for me to scan 1000 computers or more by hand using the tdsskiller.exe tool.

I did find a site which has copies of the tdss rootkit hxxp ://Kernelmode.info

Now I just need to figure out how to track the system changes.

Thanks anyways.

Edited by quietman7, 21 December 2010 - 10:41 PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:28 AM

Posted 21 December 2010 - 10:43 PM

Please do not post active links to malware or possible malware related sites. I have disabled the one(s) you posted so others do not accidentally click on them.

As I said, the Virus, Trojan, Spyware, and Malware Removal Logs forum where you started this topic is used to post logs for analysis. Since you posted there I thought you also needed help. Rather than leave you waiting for someone to reply as that forum is backlogged, I moved your topic here and provided instructions on the proper procedure.

In the process, it appears I did missread the part where you were asking about how to deliberately infected yourself.

How to get Malware/Virus/Trojans on your Home Windows computer

Also read How Malware Spreads - How did I get infected which explains the most common ways malware is contracted and spread...identifies the types of sites where you can easily get infected by not following the advice to stay away.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 crazypctech2010

crazypctech2010
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 23 December 2010 - 09:38 AM

Sorry I did not know where else to post here to ask for help since I did not need a log reviewed.
I have a ton of wireshark logs of websites it is connecting to any idea who could help me identify these logs and websites ?

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:28 AM

Posted 23 December 2010 - 09:52 AM

Please clarify...if you don't need the logs reviewed, how can someone assist you with identifying what is in them?

Edited by quietman7, 23 December 2010 - 09:55 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users