TDSS: The Next Generation

Win32/Olmarik (also known as TDSS, TDL, Alureon and sundry less complimentary names) has gone through some interesting evolutions in the last couple of years.

TDL4 is no exception, with its ability to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled.

In a new ESET white paper on The Evolution of TDL: Conquering x64,  Eugene Rodionov and Aleksandr Matrosov look at the GangstaBucks gang that has been distributing TDSS since DogmaMillions shut up shop, then dive deeper into analysis of the bootkit.

You may also find their previous white paper TDL3: The Rootkit of All Evil? and Virus Bulletin article Rooting about in TDSS* of interest.

* Available on the white papers page by courtesy of Virus Bulletin, who hold the copyright.

ESET Senior Research Fellow   

Author David Harley, ESET

  • Henri Salo

    Your links are broken.

    • David Harley

      ?!*?£$! Again!!!! Thanks, Henri. Fixed, I hope.

  • Randy Knobloch

    Great write up, David – thank you.
    Are the in working order – are they current ?

  • David Harley

    Randy, do you mean the links? They were mysteriously corrupted when the post was posted. That happens on this blog occasionally: I must remember to check them after they're posted as well as before, but it hasn't happened for a while and I got sloppy. :)

Follow us

Copyright © 2017 ESET, All Rights Reserved.