TDL4: Beat-root with Confidence

Sorry. If there's one thing I find even more irresistable than a good pun, it's a bad one. Lettuce get down to business.

My Russian colleagues Aleksandr Matrosov and Eugene Rodionov recently delivered a presentation on "Defeating x64: The Evolution of the TDL Rootkit" at Confidence 2011, in Krakow, and now available on our white papers page. If you follow this blog regularly, you'll know that this is a topic on which they certainly know their onions, and on this occasion they discussed how they analysed the rootkit and its implications.

Just to whet your appetite, here's what was on the menu:

  • Evolution of TDL rootkits
  • Installation on x86 vs. x64
  • TDL bootkit, or how to bypass driver signature check
  • How to debug a bootkit with Bochs emulator
  • Kernel-mode hooks
  • TDL hidden file system layout
  • Payload injection
  • TdlFsReader as a forensic tool

If the presentation is the appetiser, you'll love the main course we previously made available on the  white papers page, a paper on The Evolution of TDL: Conquering x64. And there are also some related side dishes at http://resources.infosecinstute.com (they let me put my name on those, too, just to prove I'm earning my celery):

Sorry about the word salad.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Author David Harley, ESET

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.