Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSSKiller apparently detecting itself as a rootkit


  • Please log in to reply
8 replies to this topic

#1 incognitus_2

incognitus_2

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 11 January 2014 - 12:54 PM

Just a heads up, to potentially help others saving some time:

 

After running TDSSKiller with the "modules" option enabled on Win 8.1 x64, it finds a rootkit both in the registry as a hidden service with a random 8-digit numerical name as well as a driver in c;\windows\system32\drivers\xxxxxxxx.sys (with each x being a random number). Gmer and aswMBR find the same "rootkit", but only if run within a session that had TDSSKiller's "modules" switch active. 

 

You can see the full description here: http://www.bleepingcomputer.com/forums/t/519538/gmer-aswmbr-tdsskiller-reporting-hidden-service-rootkit-what-now/

 

After finding the same "rootkit" on all of my PCs, I wiped one and reinstalled Windows from scratch, but found it "infected" straight away, which made me wonder whether this is a FP.

 

After reviewing the various logs I collected until then, I noticed that when running TDSSkiller WITHOUT the "modules" switch (e.g. no reboot), the TDSSKiller log would include the following line:

18:13:23.0976 0x1230  KLMD registered as C:\Windows\system32\drivers\38850691.sys

This entry is completely missing when running TDSSKiller with "modules" switched on.

 

My conclusion is that TDSSKiller is detecting itself as a rootkit in this case (as does GMER / aswMBR).

 

Can someone confirm this behavior?

 

Best,

 

I.

 

 

 

 



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:57 AM

Posted 11 January 2014 - 01:31 PM

Hi,

 

I reported this to the developer and will let you know about the results.

 

 

Regards,

Georgi


cXfZ4wS.png


#3 incognitus_2

incognitus_2
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 11 January 2014 - 08:42 PM

Georgi,

 

many thanks!

 

Have you been able to replicate this issue yourself?



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:57 AM

Posted 12 January 2014 - 06:40 AM

Hi,

 

 

I don't have Windows 8 virtualbox at the moment so I can't test it by myself.

 

 

Regards,

Georgi


cXfZ4wS.png


#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:57 AM

Posted 28 January 2014 - 03:42 PM

Hi,

 

I am sorry about the delay but I have a reply from the developer today (he is very busy the last few weeks) and he confirmed the issue. Here's what he said to me:

 

I faced a similar problem. But it should have been fixed. I'll check it out.

 

 

Regards,

Georgi


cXfZ4wS.png


#6 incognitus_2

incognitus_2
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 28 January 2014 - 08:00 PM

Hey Georgi,

 

thanks for the update! Would be great if you could post the final outcome here when you hear back from the dev.

 

Best,

 

I.



#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:57 AM

Posted 29 January 2014 - 06:40 AM

Hi,

 

The fix will be included in the next build of TDSSKiller planned to be released in the next week.

So there is nothing to worry about and your system isn't infected with a rootkit. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#8 incognitus_2

incognitus_2
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 30 January 2014 - 07:52 PM

Hi,

 

The fix will be included in the next build of TDSSKiller planned to be released in the next week.

So there is nothing to worry about and your system isn't infected with a rootkit. :)

 

 

Regards,

Georgi

 

Thanks Georgi,

 

very good to know, I can sleep better now :-)

 

I.



#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:57 AM

Posted 30 January 2014 - 09:37 PM

Hi,

 

You are more than welcome and thank you for bring the issue to our attention. :)

 

 

Regards,

Georgi


cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users