Comments on: TDL4 rebooted http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/ News, Views, and Insight from the ESET Security Community Mon, 03 Feb 2014 08:49:00 +0000 hourly 1 http://wordpress.org/?v=3.7 By: daniel http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/#comment-3631 Thu, 11 Oct 2012 12:06:56 +0000 http://blog.eset.com/?p=9935#comment-3631 I got a new variant of this TDL virus, low level format HDD erase.exe, MHDD.exe HDPARM HDAT2 impossible to remove it. The pest created the hidden partition inside the DCO and possibly it add a password and then you could not remove it because of the password I  have try evrything this pest is a mess ….
I try on my Seagate a firmware update no result and Western Digital indicate tham no firmware is available and buy a new drive. Possibly a new virus to make people buy new stuff. Note the virus work best on XP and 32 bit system on 64 bit I got lessporiblem for now, until it got through it. The virus comn ethroug a USB key possibly formating did not remove any virus since  it go to the Protected Area 

Format is useless SD Pendrive Har disk Hawker are srtonger than manufacturer and antivurs manufacturer. Only a company which do partitioning tool, HPA dco editor, could manage this threat, I beleive no comapny have the following requirement…  Any Suggestion???

]]>
By: David Harley http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/#comment-3630 Thu, 17 May 2012 18:00:40 +0000 http://blog.eset.com/?p=9935#comment-3630 I’m afraid I can’t give you an unequivocal answer to that without direct access to the machine.

]]>
By: Deb http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/#comment-3629 Thu, 17 May 2012 16:47:54 +0000 http://blog.eset.com/?p=9935#comment-3629 Wonder if you will see this post?  I have an unallocated 2.95 partition that is not flagged as boot or shown as hidden by gparted.  I would like to know if I can safely delete this without worry of boot problems?  The last pc I had in my office gparted showed that it had a 1MB hidden boot partition and I unflagged and unhid it then deleted it.

]]>
By: vince1053 http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/#comment-3628 Thu, 08 Mar 2012 10:25:19 +0000 http://blog.eset.com/?p=9935#comment-3628 j'ai été victime de ce virus et malheureusement je n'ai pu reamorcer le systeme, même pes a partir du CD Install.
Il en est résulté un formatage bas niveau pour pouvoir eradiquer cette partition fantôme.

]]>
By: PCTech20 http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/#comment-3627 Thu, 23 Feb 2012 16:23:53 +0000 http://blog.eset.com/?p=9935#comment-3627 [Comment approved as some people may find it interesting: note, however, that I haven't tested the techniques or resources described here in this context, they aren't endorsed in any way by ESET, and we can't be held responsible for any problems that arise from using them: caveat lector. This was actually edited down from three comments by the same poster.]

I don't think there is a way to bypass the hidden partition.  What I have found is to use the management console in a different computer and "slave" the infected hard drive into it in order to look at the partitions on the drive.  This is possible in Windows Vista or Windows 7.  If there is a "strange" partition, it is usually at the end of the hdd and Windows identifies it as "Unknown" and shows it has been made active.  Typically, you can then delete that partition after making active the true boot partition.  Then I would suggest putting the hdd back into its original PC and booting the system into the recovery console.  When in there, I would then use bootrec /fixboot, bootrec /fixmbr, and in some extreme cases bootrec /rebuildbcd.  Once the system is booting properly, then I would boot the system to safe mode with networking and run ComboFix.  After this, I would run full scans with the usual antimalware programs, also in safe mode.  I personally use CCleaner or other good temp file cleaner first.  Then I use Malware Bytes and Super AntiSpyware.  If you have an antivirus that can do a boot-time scan, then run the boot-time scan after the previous 3 or 4 programs have been run.  This usually cleans up the system pretty well.  As for ComboFix, I only trust the version that is developed by BleepingComputer.com. 

In some instances, the above procedure can work with Windows XP, too, but do not use bootrec.  Also, rebuildbcd does not exist in XP.  So the commands to use would be only fixboot and fixmbr for XP systems.

]]>
By: Cybrhelp http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/#comment-3626 Mon, 23 Jan 2012 20:30:01 +0000 http://blog.eset.com/?p=9935#comment-3626 How does one get past this hidden partition to boot the system?

]]>
By: David Harley http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/#comment-3625 Sun, 15 Jan 2012 17:02:51 +0000 http://blog.eset.com/?p=9935#comment-3625 Responded to the English version ;-)

]]>
By: David Harley http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/#comment-3624 Sun, 15 Jan 2012 16:59:47 +0000 http://blog.eset.com/?p=9935#comment-3624 I’m afraid that antivirus implemented within a hidden partition would be no more “indestructible” in principle than TDSS. Which certainly isn’t indestructible…

]]>
By: conectado http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/#comment-3623 Sun, 15 Jan 2012 14:19:51 +0000 http://blog.eset.com/?p=9935#comment-3623 Would not be a good idea to implement this system for / in the antivirus? And so "beat HAND" A malware?
-That is, the installed antivirus created hidden so that partition. and so on., etc. and work from there. etc. and from there connects to the server for updates.
- Adding of course their action to prevent any similar attempt by any other means.
- HOW WOULD THE ANTIVIRUS INDESTRUCTIBLE, right?

]]>
By: conectado http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/#comment-3622 Sun, 15 Jan 2012 14:09:49 +0000 http://blog.eset.com/?p=9935#comment-3622 No es una buena idea IMPLEMENTAR ESTE SISTEMA PARA LOS ANTIVIRUS? y GANARLE DE MANO A LOS MALWARES?
-Es decir el antivirus al instalarse crea la referida particion oculta , etc. etc. y trabaja desde alli etc, etc, y se conecta desde alli con el servidor de actualizaciones.
- Agregando por supuesto su acción de impedir todo intento similar por cualquier otro medio.
- ASI TENDRIAMOS EL ANTIVIRUS INDESTRUCTIBELE VERDAD?

]]>
By: David Harley http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/#comment-3621 Mon, 07 Nov 2011 17:13:14 +0000 http://blog.eset.com/?p=9935#comment-3621 Reza, no, that’s not it.

Where TDL4 uses kad.dll that does involve P2P. What you shouldn’t do is think of TDL4 as _either_ P2P _or_ C&C. The malware is highly adaptive and changes frequently.

]]>
By: Reza http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/#comment-3620 Sun, 06 Nov 2011 20:18:46 +0000 http://blog.eset.com/?p=9935#comment-3620 Based on your answer to Rada, It seems that TDL4 not a kind of P2P Botnet so far? right?

]]>
By: David Harley http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/#comment-3619 Sat, 05 Nov 2011 10:58:34 +0000 http://blog.eset.com/?p=9935#comment-3619 Eugene says:
We didn’t notice any payload communicating with C&C over P2P protocol and specifically KAD in this modification of TDL4.
As to the second question, in fact, there are two independent plugins (cmd.dll and kad.dll) in some examples of TDL4, each communicating with C&C according to implemented protocols: HTTP(S) and KAD correspondingly. Thus, there is no decision making as such.

]]>
By: Rafa Rodríguez http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/#comment-3618 Fri, 04 Nov 2011 16:37:22 +0000 http://blog.eset.com/?p=9935#comment-3618 Is this new version of the bot still using Kad network to receive the C&C messages? And more in general, in which cases TDL-4 decides to comunicate via HTTP C&C or P2P C&C?

]]>
By: David Harley http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/#comment-3617 Tue, 01 Nov 2011 10:13:52 +0000 http://blog.eset.com/?p=9935#comment-3617 There are a number of removal tools available from the downloads/utilities page on the main web site, including tools for Olmarik/TDL4. However, they obviously aren’t updated on a daily basis like the regular scanner, and there’s no guarantee that they’ll work correctly with a particular example of malware as adaptive as TDSS. If you aren’t an ESET customer, you could try the ESET online scanner, of course.

]]>
By: Ajay http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/#comment-3616 Tue, 25 Oct 2011 21:00:52 +0000 http://blog.eset.com/?p=9935#comment-3616 Any special removal tool for this type of nasty infection from Eset guys….?

]]>
By: Nauip http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/#comment-3615 Mon, 24 Oct 2011 23:04:00 +0000 http://blog.eset.com/?p=9935#comment-3615 Seems to me the best prevention is to not have any un-partitioned space? Or is this bugger smart enough to shrink a volume assuming there's free space?

]]>
By: David http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/#comment-3614 Mon, 24 Oct 2011 11:23:59 +0000 http://blog.eset.com/?p=9935#comment-3614 Question is, if the VBR is infected than can the malware disable the NOD32 software, thus leaving it infected?

]]>
By: ivan http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/#comment-3613 Fri, 21 Oct 2011 22:28:50 +0000 http://blog.eset.com/?p=9935#comment-3613 I like the way Russian letter "yo" shows for 0xF0 on your binary print out on figure 1. Kudos to Alexander Matrosov. :)

]]>
By: David Harley http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/#comment-3612 Thu, 20 Oct 2011 22:08:38 +0000 http://blog.eset.com/?p=9935#comment-3612 I’ll check, but I think that refers to a system limitation. No-one is suggesting that malware is about to start routinely eating 50Gb of disk: that would be counterproductive from the blackhat’s point of view.

]]>
By: Harry Johnston http://www.welivesecurity.com/2011/10/18/tdl4-rebooted/#comment-3611 Wed, 19 Oct 2011 22:41:12 +0000 http://blog.eset.com/?p=9935#comment-3611 "the size of the malicious partition is limited to 50 GB": did you mean 50MB?  Even on today's disks, 50GB would be a sizeable chunk to go missing.

]]>