World's most sophisticated rootkit is being overhauled

New variants don't make obvious modifications to the MBR

Experts from security vendor ESET warn that TDL4, one of the most sophisticated pieces of malware in the world, is being rewritten and improved for increased resilience to antivirus detection.

"ESET researchers have been tracking the TDL4 botnet for a long time, and now we have noticed a new phase in its evolution," announced David Harley, the company's director of malware intelligence.

"Based on the analysis of its components we can say that some of those components have been rewritten from scratch (kernel-mode driver, user-mode payload) while some (specifically, some bootkit components) remain the same as in the previous versions," he noted.

Harley and his colleagues believe this suggests a major change within the TDL development team or the transition of its business model toward a crimeware toolkit that can be licensed to other cybercriminals.

TDL, also known as TDSS, is a family of rootkits characterized by complex and innovative detection evasion techniques. Back in July, malware analysts from Kaspersky Lab called TDL version 4 the most sophisticated threat in the world and estimated that the number of computers infected with it exceeds 4.5 million.

There are many things that make TDL4 stand out from the crowd of rootkits currently plaguing the Internet. Its ability to infect 64-bit Windows systems, its use of the public Kad peer-to-peer network for command purposes and its Master Boot Record (MBR) safeguard component are just some of them.

However, according to ESET's researchers, changes are now being made to the way TDL4 infects systems and ensures its hold on them. Instead of storing components within the MBR, the new variants create a hidden partition at the end of the hard disk and set it as active.

This ensures that malicious code stored on it, including a special boot loader, gets executed before the actual operating system, and that the MBR code checked by antivirus programs for unauthorized modifications remains untouched.

The TDL4 authors have also developed an advanced file system for the rogue partition, which allows the rootkit to check the integrity of components stored within.

"The malware is able to detect corruption of the files stored in the hidden file system by calculating its CRC32 checksum and comparing it with the value stored in the file header. In the event that a file is corrupted it is removed from the file system," the ESET researchers explain.

In April, Microsoft released a Windows update that modified systems to disrupt the TDL4 infection cycle. The rootkit's authors responded half a month later with an update of their own that bypassed the patch.

This kind of determination to keep the malware going suggests that its return on investment is significant. The code quality and the sophisticated techniques are certainly indicative of professional software development.

Several antivirus vendors like Kaspersky, BitDefender or AVAST, offer free stand-alone tools that can remove TDSS and similar rootkits. However, in order to avoid getting infected in the first place users should install an antivirus solution that provides advanced layers of protection, like those analyzing software behavior.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securitymalwareeset

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?