TDL3: The Rootkit of All Evil?

Nytro · May 8, 2011

TDL3: The Rootkit of All Evil?

Account of an Investigation into a Cybercrime Group

Aleksandr Matrosov, senior virus researcher

Eugene Rodionov, rootkit analyst

Contents
DOGMA MILLIONS CYBERCRIME GROUP ............................................................................................... 3
DOGMA MILLIONS ....................................................................................................................................... 3
THE DROPPER ...................................................................................................................................... 8
DETECTING VIRTUAL MACHINE ENVIRONMENT ..................................................................................................... 8
CHECKING LOCALES ...................................................................................................................................... 9
INSTALLING KERNEL MODE DRIVER .................................................................................................................. 10
Using AddPrintProcessor and AddPrintProvidor API ........................................................................... 10
Using known dlls ............................................................................................................................... 13
THE ROOTKIT ..................................................................................................................................... 15
INFECTION ................................................................................................................................................ 15
READING AND WRITING DATA FROM/TO HARD DISK ............................................................................................ 19
HOW TO SURVIVE AFTER REBOOT .................................................................................................................... 21
INJECTING MODULES INTO PROCESSES .............................................................................................................. 22
ENCRYPTED FILE SYSTEM ..................................................................................................................... 22
INJECTOR ........................................................................................................................................... 25
COMMUNICATION PROTOCOL ........................................................................................................................ 26
TASKS ..................................................................................................................................................... 27
APPENDIX A ....................................................................................................................................... 28
APPENDIX B ....................................................................................................................................... 29
APPENDIX C ....................................................................................................................................... 30
APPENDIX D ....................................................................................................................................... 31

Download:

http://www.eset.com/us/resources/white-papers/TDL3-Analysis.pdf

Sign In

TDL3: The Rootkit of All Evil?

Recommended Posts

Nytro

Join the conversation

Browse

Activity

Pages