Tuesday, September 6, 2011


Joseph Mlodzianowski from sub0day had did great article about analysis new variant TDL-4 .It worth to read if you following TDL trends.


Attention…  You no longer have to put up with google browser search hijacks, popups or annoying spam email.  The latest and greatest in trojan technology can use your computer to browse silently, visiting hundreds of websites per day earning the attacker thousands of dollars per day* (botnet).  Additionally, it is capable of stealing your email, bank account and other passwords on your system as well using your computer as a proxy, and all with no intrusive popups.
This article will focus on the dissection and analysis of a new TDL-4 ”Variant” I believe I discovered. While performing the analysis, some interesting trends, data and methods the “underground” is using to evade detection and make money were uncovered.
If you’re new to TDL (TDSS variants) malware, or crimeware in general, I suggest several articles written by Sergey Golovanov from Kaspersky Lab that can be found here: http://www.securelist.com/en/userinfo/72

This Stealth trojan malware (TDL4.2) uses the victims computer to browse websites with out any signs. It doesn’t display the common browser redirects or annoying popups, which normally alert users to the fact that they are infected. TDL-4 is detectable and can be removed by Kasperskys TDSS Killer, however, this variant will download and update itself becoming undetectable. [At least for a while]
The malware is very sophisticated in that it utilizes custom encryption and has various methods in which it is capable of avoiding detection. It contains a root kit that infects the boot sector allowing it to load prior to other drivers, etc..
Proxy Service – In addition, this variant downloads and uses Socks.dll, which allows the victims system to be used as a proxy server (AWM Proxy Client), the fine people at awmproxy-dot-com created a convenient plug-in for firefox.  It appears, you can purchase their service and use the plug-in to browse anonymously using tdl infected systems.


No comments: