category
TDL4

Olmasco bootkit: next circle of TDL4 evolution (or not?)

Analysis of the Olmasco bootkit: a TDL4 variation with an interesting approach to dropper technology

Defeating anti-forensics in contemporary complex threats

Alexandr Matrosov summarizes the evolution of complex threats using hidden storage, as discussed in his presentation with Eugene Rodionov at Virus Bulletin 2012.

Rovnix bootkit framework updated

Changes in the threatscape as regards exploitation of 64-bit systems, exemplified by the latest modifications to the Rovnix bootkit.

ZeroAccess? Much too much access…

Why the ZeroAccess rootkit family modifications are important to the end user.

Rovnix Reloaded: new step of evolution

ESET is seeing a new step of evolution for the Rovnix bootkit family.

TDL4 reloaded: Purple Haze all in my brain

A new TDL4 sample includes novel privilege escalation mechanisms in the dropper and changes to the hidden storage system.

TDL4 rebooted

ESET researchers have noticed a new phase in the evolution of the TDL4 botnet.

Hasta La Vista, Bootkit: Exploiting the VBR

During the first half of 2011 we have witnessed a significant growth in malware targeting 64-bit platforms, the most interesting examples of which are bootkits.

Urban Myth in the Making

…you can probably guess what I think about the idea of an undetectable virus…

Stuxnet: Wired but Unplugged

I've stopped maintaining Stuxnet resource pages recently, but occasionally I come across an article that adds something useful to the mix, or simply summarizes aspects of the Stuxnet story neatly and accurately. Besides, its authors must be feeling a little left out with all that fuss about TDL4. ;-) A recent report in Wired gives

TDL4: Less hype, more history

I don’t think there’s such a thing as an indestructible botnet. TDSS is somewhat innovative. It’s introduced new twists on old ideas like P2P networks and hiding malware.

TDSS: botnets, Kademilia and collective consciousness

The TDSS botnet, now in its 4th generation, is seriously sophisticated malware, which is why we've spent so much time writing about it: the revision of the paper The Evolution of TDL: Conquering x64 that will be up on the white papers page shortly runs to 54 pages and includes some highly technical analysis, including the detail on

TDL Tracking: Peer Pressure

Recently … our TDL tracker picked up a brand new plugin for TDL4 kad.dll (Win32/Olmarik.AVA) which we haven’t seen earlier … we discovered that it implements a particularly interesting network communication protocol …

TDL file system

@RedNose commented on the blog I put up recently about the tool my Russian colleagues have made available for dumping TDL's hidden file system: I'm going to respond here in case anyone else is confused about this. "I ran the tool and it did not show anything. Does it mean that TDSS is not present?"

TDSS and hacking the hackers

…Aleks and Eugene released a new version of the tool they developed in the course of their research into the TDL family…

TDL4: new bootkits stepping out

My colleague Aleks Matrosov has come across an interesting if uncomfortable post on a Russian language forum, advertising a "Boot loader for drivers" currently under test that doesn't require a Digital Signature driver, which sounds very much like our old friend TDL4. This metamorphic malware (each build generates a fresh binary) loads before the start of PatchGuard. It's

TDL4: Beat-root with Confidence

…Aleksandr Matrosov and Eugene Rodionov recently delivered a presentation on “Defeating x64: The Evolution of the TDL Rootkit” at Confidence 2011, in Krakow, and now available on our white papers page…

The co-evolution of TDL4 to bypass the Windows OS Loader patch (KB2506014 )

Our colleagues Aleksandr Matrosov and Eugene Rodionov are tracking the evolution of TDL4 (also known as Win32/Olmarik). The following is a report on the latest TDL4 update, released last week. In our previous blog post, we described how the latest Microsoft Security Update modified the Windows OS loader (winloader.exe) to fix a vulnerability that allowed

KB2506014 kills TDL4 on x64

The security update won’t necessarily help users who have already been infected with the bootkit as TDL4 blocks the Windows Update service on x86 machines. As a result, infected x86 machines won’t be able to download and install the patch automatically.

TDSS: The Next Generation

Win32/Olmarik (also known as TDSS, TDL, Alureon and sundry less complimentary names) has gone through some interesting evolutions in the last couple of years. TDL4 is no exception, with its ability to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and 7) and perform

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.