Pay-Per-Install Analysis – Part Three


This is where things get interesting. This company distributes one executable, TDL3. TDL3 is a very advanced piece of stealth malware, with rootkit capabilities. Here you can see Symantec are well aware of this.



This is how much they per for 1000 installs per country.

USA -	$170
Canada - $120
United Kingdom - $110
Australia, Austria, Belgium, Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Netherlands, Norway, Spain, Sweden, Switzerland - $50

This is a list of strings from the unpacked executable. Notice the similarities to the Symantec writeup.

0x00013158 0x00000016 %1d.%1d %04d SP%1d.%1d
0x00013170 0x00000040 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
0x000131BC 0x00000014 %s|%s|%s|%x|%x|%s|%s
0x000131DC 0x00000012 %[^;];%[^;];%[^;];
0x000131F8 0x0000000A \tdrv
0x00013204 0x0000000A \tdev
0x00013220 0x00000012 %[^;];%[^;];%[^;];
0x0001323C 0x00000024 system\currentcontrolset\services\%s
0x00013264 0x00000009 imagepath
0x00013278 0x00000028 \registry\machine\%S
0x000132A4 0x0000001C \\?\globalroot%wZ\tdlcmd.dll
0x000132C4 0x00000014 \\?\globalroot%wZ\%s
0x000132DC 0x00000009 bckfg.tmp
0x000132E8 0x00000014 \\?\globalroot%wZ\%s
0x00013304 0x0000000E %[^|]|%[^|]|%s
0x00013314 0x00000007 servers
0x0001331C 0x00000006 tdlcmd
0x00013324 0x0000000A wspservers
0x00013330 0x00000006 tdlcmd
0x00013338 0x0000000C popupservers
0x00013348 0x00000006 tdlcmd
0x00013350 0x00000011 %d.%d.%d %d:%d:%d
0x00013364 0x00000009 builddate
0x00013370 0x00000018 services.exe
0x0001338C 0x0000000E IsWow64Process
0x0001339C 0x00000008 kernel32
0x000133A8 0x00000020 \\?\globalroot%s
0x000133DC 0x00000007 spooler

TDL3 infects a random driver, so after infection I ran TDSSKiller.


There you can see its infected one of my VirtualBox drivers. TDSSKiller was able to remove it after a reboot.

To be continued…

The Case Of TDL3
Tidy TDSS (TLD3) Paper

Random Posts

Previous Posts