TDI - a new element in old tdss story

According to Microsoft new version of Alureon (well known as tdss) was discovered in August. It's Trojan:Win32/Alureon.FV [dropper] - http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FAlureon.FV



Later, in September and October, Damballa and SurfRight respectively also confirm that new modification of tdss was observed.

http://hitmanpro.wordpress.com/2012/10/07/new-tdl4-strain-very-successful-in-hiding-from-av/
https://www.damballa.com/press/2012_09_17bPR.php

A few words about dropper. It contains:
- obfuscated code with trash instructions;
- anti-emu features;
- checking debug from huge number of functions;
- calling key functions via stack modification for hiding code flow.

VBR infection code has view:

It uses 0x4D014 IOCTL for VBR infecting - it's standart IOCTL_SCSI_PASS_THROUGH_DIRECT.
Frank published it decrypted payload.
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=596&start=100#p16056

It has view:
As we can see it contains a new module [driver] called as TDI (Transport Device Interface). http://msdn.microsoft.com/en-us/library/windows/hardware/ff565685(v=vs.85).aspx 


SHA256:76fd3ce8b4428ea69568fe9b198174ae4be2e440863772494e4b2182dd7ebfb4
SHA1:9d2e7de60d42d7dce2fcd9c3923ec098b4bfb51d
MD5:83d04e8aec67ed939729777c3d2499a3
File size:12800 bytes

Driver entry:
- initialization;
- starting necessary system threads;
- attaching to network devices: \Device\Tcp, \Device\Udp, \Device\Ip, \Device\RawIp.




Rootkit device name - \Device\cmdhlp with link \DosDevices\cmdhlp.