Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.TDSS


  • Please log in to reply
12 replies to this topic

#1 uByte

uByte

  • Members
  • 243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL
  • Local time:08:27 AM

Posted 06 January 2011 - 12:08 PM

I repair computers for a living and I am seeing a huge increase in the amount of computers with Rootkit.TDSS. Is there anyone else seeing this? I mean this rootkit is hitting every MBR that it comes in contact with.

uByte

BC AdBot (Login to Remove)

 


#2 Hert

Hert

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 06 January 2011 - 03:28 PM

TDSSKiller.exe and everything is OK! :P

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:27 AM

Posted 06 January 2011 - 07:55 PM

TDL3/TDL4 (Alurion) is the third and fourth generation of the TDSS rootkit which hides itself on a system by infecting system files/drivers like atapi.sys, a common target because it loads early during the boot process and is difficult to detect. Newer varinats, however, can target a number of other legitimate drivers in the Windows drivers folder and the Master Boot Record (MBR). Common symptoms/signs of this infection include:

  • Google search results redirected as the malware modifies DNS query results.
  • Infected (patched/forged) files in the Windows drivers folder.
  • Infected Master Boot Record.
  • Slowness of the computer and poor performance.
  • Fake alerts indicating the computer is infected.
  • Internet Explorer opening on its own.
  • BSODs as described in this article.
For more specific analysis and explanation of the infection, please refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 uByte

uByte
  • Topic Starter

  • Members
  • 243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL
  • Local time:08:27 AM

Posted 10 January 2011 - 03:06 PM

thanks quietman7 for the post I will check out those sites. I normally run TDSSKiller on it and it works 80% of the time but latly I can't even boot into windows to run it.

uByte

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:27 AM

Posted 10 January 2011 - 03:44 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Rob999

Rob999

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 11 January 2011 - 08:06 AM

I repair computers for a living and I am seeing a huge increase in the amount of computers with Rootkit.TDSS. Is there anyone else seeing this? I mean this rootkit is hitting every MBR that it comes in contact with.

uByte


Similarto you I also repair PCs for a living, and have come across TDSS recently on ar least two PCs since the new year - probably the cause of Combofix freezing(?) - anyway will need to to be watchful of this as I see this as a dewvelopment we need to be more aware of.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:27 AM

Posted 11 January 2011 - 08:30 AM

Keep in mind that this particular malware (like others) is constantly evolving. Every time a fix tool is released the malware writers look for a work-around to defeat it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 uByte

uByte
  • Topic Starter

  • Members
  • 243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL
  • Local time:08:27 AM

Posted 11 January 2011 - 10:23 AM

Wow! Thanks once again for the links they are very easy to read and full of great detail. I will have to remember this website as I have often wondered how my customers get infected. I normally just tell them from drive by download sites and limewire but this gives me more information to tell them. Thanks once again.

uByte

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:27 AM

Posted 11 January 2011 - 12:10 PM

I have often wondered how my customers get infected.

How Malware Spreads - How did I get infected explains the most common ways malware is contracted and spread.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 uByte

uByte
  • Topic Starter

  • Members
  • 243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL
  • Local time:08:27 AM

Posted 13 January 2011 - 05:50 PM

Now I think that you are just mocking me. :P

Thanks for the post!

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:27 AM

Posted 13 January 2011 - 08:26 PM

You're welcome.

What I really intended was for you to tell your customers to read that topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 uByte

uByte
  • Topic Starter

  • Members
  • 243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL
  • Local time:08:27 AM

Posted 14 January 2011 - 10:21 AM

I know and I appreciate that! I will pass it on. Thanks

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:27 AM

Posted 14 January 2011 - 10:29 AM

:thumbup2:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users