Analysis of TDL4

From Botnets.fr
Revision as of 11:04, 25 November 2012 by Eric.freyssinet (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

(Publication) Google search: [1]

Analysis of TDL4
Botnet TDL-4
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / 2012-10-20
Editor/Conference BAE Systems
Link http://baesystemsdetica.blogspot.fr/2012/10/analysis-of-tdl4 8570.html baesystemsdetica.blogspot.fr (baesystemsdetica.blogspot.fr Archive copy)
Author Sergei Shevchenko
Type

Abstract

Our lab has recently got its hands on a new sample of TDL4, also known as TDSS.

The sample is likely distributed as a dropper file named outlkupd.exe; its file size 1,224Kb. Some of the components that it drops were compiled in July 2012, and some were compiled in September 2012 - so it's relatively a 'fresh' one.

The dropper is packed with an interesting packer that disguises the protected executable underneath as a normal code, with the normal flow and innocent API calls.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1191,
   editor = {BAE Systems},
   author = {Sergei Shevchenko},
   title = {Analysis of TDL4},
   date = {20},
   month = Oct,
   year = {2012},
   howpublished = {\url{http://baesystemsdetica.blogspot.fr/2012/10/analysis-of-tdl4_8570.html baesystemsdetica.blogspot.fr}},
 }