TDL4: new bootkits stepping out

My colleague Aleks Matrosov has come across an interesting if uncomfortable post on a Russian language forum, advertising a "Boot loader for drivers" currently under test that doesn't require a Digital Signature driver, which sounds very much like our old friend TDL4.

This metamorphic malware (each build generates a fresh binary) loads before the start of PatchGuard. It's claimed to  support all versions of Microsoft Windows, since XP including Windows 7 sp1, inclusive, and supports both x86 and AMD64 (EM64T). A mere $9000, which I guess gives you some idea of how much profit there is in this kind of "costly but effective" malcode. :(

More info on TDL4 on the white papers page:

The Evolution of TDL: Conquering x64
By Eugene Rodionov and Aleksandr Matrosov

Defeating x64: The Evolution of the TDL Rootkit
By Aleksandr Matrosov and Eugene Rodionov

TDSS part 1: The x64 Dollar Question
By Aleksandr Matrosov, Eugene Rodionov & David Harley

TDSS part 2: Ifs and Bots
By Aleksandr Matrosov, Eugene Rodionov & David Harley

TDSS part 3: Bootkit on the other foot
By Aleksandr Matrosov, Eugene Rodionov & David Harley

Rooting about in TDSS
By Aleksandr Matrosov & Eugene Rodionov
Article first published in Virus Bulletin, October 2010. Copyright is held by Virus Bulletin Ltd, but is made available on ESET's white papers page for personal use free of charge, by permission of Virus Bulletin.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Author David Harley, ESET

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

7 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.