Tidserv and BSoD

This is a follow-up to a previous article on Tidserv and MS10-015.
The word spread that the Tidserv gang have patched their rootkit to avoid the infinite reboot issue due to API offsets changes in the kernel module introduced by MS10-015, so we ran our own tests on the following samples, which are said to cope with such kernel updates:
MD5: 0370db3da46a580c600e99efd6d44d1b
MD5: e1212a8cf64d5157d02bf2175c16ab25
These samples use the following two configuration files (config.ini extracted from Tidserv's Encrypting File System) and are the latest Tidserv samples we have in our lab:
--- (0370db3da46a580c600e99efd6d44d1b)

quote=Jebus where are you? Homer calls Jebus!
version=3.25
botid=
affid=
subid=0
installdate=
builddate=16.2.2010 0:45:2

*=tdlcmd.dll

servers=https://a57990057.cn/;https://94.228.209.145/;https://94.228.209.146/
wspservers=http://c36996639.cn/;http://c58446658.cn/
popupservers=http://m2121212.cn/
version=3.74

--- (e1212a8cf64d5157d02bf2175c16ab25) 

quote=F*ck damnation, man! F*ck redemption! We are God's unwanted children!
version=3.26
botid=
affid=
subid=0
installdate=
builddate=16.2.2010 17:3:20

*=tdlcmd.dll

servers=https://a57990057.cn/;https://94.228.209.145/;https://94.228.209.146/
wspservers=http://c36996639.cn/;http://c58446658.cn/
popupservers=http://m2121212.cn/
version=3.74

---
One can observe the time difference between the build dates of these two versions is about 16 hours, which is quite small compared to other threats.
Another thing worth mentioning is that the installer/dropper's debug message has been changed to:
"We should have shotguns for this kind of deal."
After successful installation the infected drivers were indeed able to cope with changes in the kernel API offsets. In order to achieve that they now use hash functions on required API names to retrieve their addresses on the fly:

This technique is known to have been used in viruses and other threats for years, and yet they had to disable most of their bot (continue reading...)