1 min read

New TDL Clones in the Wild

Răzvan STOICA

April 30, 2013

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
New TDL Clones in the Wild

New TDL clones are making the rounds these days, according to Bitdefender Labs antimalware researcher Marius Tivadar. The samples in question (which are just now completely analyzed) date from the beginning of April.


The basics are the same as for any other TDL variant – the master boot record gets infected, there is a 16-bit component and 32/64 bit DLLs.

Taking a look at the code, we can see that to decrypt the sectors where the components are stored, the RC4 key used is also XORed with 0x42965246:

snippet_mbr

The encrypted filesystem looks like this:

fs
and we can see that, unlike other TDL clones, all the files have names made up exclusively of digits (perhaps chosen at random)
Previous clones used intuitive names for files: ldr16/ldr32/ldr64/mbr.

The configuration file is almost unchanged, except there aren’t almost any readable strings:

cfg

 

while the mbr loader binary looks like this:

mbr

Unfortunately, the TDL bootkit family remains relatively unknown in the wider IT security community, as the low detection rates from other major antivirus companies prove.

Bitdefender antimalware researchers have updated the free rootkit remover to deal with the latest TDL clones.

tags


Author



Right now

Top posts

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

July 21, 2021

9 min read
How We Tracked a Threat Group Running an Active Cryptojacking Campaign

How We Tracked a Threat Group Running an Active Cryptojacking Campaign

July 14, 2021

10 min read
A Note from the Bitdefender Labs Team on Ransomware and Decryptors

A Note from the Bitdefender Labs Team on Ransomware and Decryptors

May 26, 2021

2 min read
New Nebulae Backdoor Linked with the NAIKON Group

New Nebulae Backdoor Linked with the NAIKON Group

April 28, 2021

1 min read
Good riddance, GandCrab! We’re still fixing the mess you left behind.

Good riddance, GandCrab! We’re still fixing the mess you left behind.

June 17, 2019

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Poking Holes in Crypto-Wallets: A Short Analysis of BHUNT Stealer Poking Holes in Crypto-Wallets: A Short Analysis of BHUNT Stealer
Bitdefender

January 19, 2022

2 min read
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand
Bogdan BOTEZATU

November 08, 2021

2 min read
Digitally-Signed Rootkits
are Back – A Look at
FiveSys and Companions Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions
Cristian Alexandru ISTRATEBalazs BIRORareș Costin BLEOTUClaudiu COBLIȘ
1 min read