Win32/Olmarik (also known as TDSS, TDL, Alureon and sundry less complimentary names) has gone through some interesting evolutions in the last couple of years.
TDL4 is no exception, with its ability to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled.
In a new ESET white paper on The Evolution of TDL: Conquering x64, Eugene Rodionov and Aleksandr Matrosov look at the GangstaBucks gang that has been distributing TDSS since DogmaMillions shut up shop, then dive deeper into analysis of the bootkit.
* Available on the white papers page by courtesy of Virus Bulletin, who hold the copyright.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Author David Harley, ESET