For HomeFor BusinessFor Partners
Anti-Malware Research
1 min read

The TDL3 Rootkit - Out of Steam?

Bitdefender

May 27, 2010

Promo Protect all your devices, without slowing them down.
Free 30-day trial
The TDL3 Rootkit - Out of Steam?

Development may be slowing down, but TDL3, possibly the biggest rootkit threat of the year, is not entirely static and in fact seems to have added self-defense features recently.

Are the creators of infamous TDL3 rootkit running out of steam? Well, it’s certainly matured, at least according to BD researcher Marius Tivadar, who has been following the evolution of this nasty bit of malware in the past few months.

“The updates came in fast at first, with a new version twice a week, mostly adding new tricks to avoid detection. The flow seems to have slowed down now though. Maybe they ran out of ideas” Marius said.

Development may be slowing down, but TDL3, possibly the biggest rootkit threat of the year, is not entirely static and in fact seems to have added self- defense features recently. The latest version includes a memory self-check (if TDL3 finds modifications they can be reverted from a clean copy) and a new way to protect the registry key it sets against changes.

The dropper component writing into a driver file on-disk was and still is the usual TDL3 method of gaining access to the kernel – the driver is loaded at boot time and executed, along with the malicious stub code.

A miniport driver such as atapi.sys was a logical (and the most common) choice for infection, as the rootki needs low-level access to the hard disk(s) to cheat antivirus scanners and the operating system into believing that it doesn’t exist. Recent versions, however, infect a random driver instead and patch the miniport driver in-memory, once loaded, which further complicates detection.

A complex series of steps (the exact “recipe” varies between minor versions, making each a unique puzzle) then leads to the rootkit stub being loaded. In turn, it loads the rest of the rootkit body, from an encrypted location on disk. The encrypted storage is no flat file either, but rather an entire filesystem, structured so as to allow the addition of new payloads.

Once installed and run, TDL3 injects its malware payload into a usermode process. The payload is usually a spammer trojan, but TDL3 can also be directed to download other malware.

tags

Anti-Malware Research

Author

Bitdefender

Bitdefender

The meaning of Bitdefender’s mascot, the Dacian Draco, a symbol that depicts a mythical animal with a wolf’s head and a dragon’s body, is “to watch” and to “guard with a sharp eye.”

View all posts

Right now Top posts

Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware
Anti-Malware Research

Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware

June 08, 2023

5 min read
Vulnerabilities identified in Amazon Fire TV Stick, Insignia FireOS TV Series
IoT Research Whitepapers

Vulnerabilities identified in Amazon Fire TV Stick, Insignia FireOS TV Series

May 02, 2023

2 min read
EyeSpy - Iranian Spyware Delivered in VPN Installers
Anti-Malware Research Whitepapers

EyeSpy - Iranian Spyware Delivered in VPN Installers

January 11, 2023

2 min read
Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor
Anti-Malware Research Free Tools

Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor

January 05, 2023

1 min read

FOLLOW US ON SOCIAL MEDIA

You might also like

AI meets next-gen info stealers in social media malvertising campaigns
Anti-Malware Research Scam Research

AI meets next-gen info stealers in social media malvertising campaigns
When Stealers Converge: New Variant of Atomic Stealer in the Wild
Anti-Malware Research

When Stealers Converge: New Variant of Atomic Stealer in the Wild
Andrei LAPUSNEANU

February 27, 2024

6 min read
Details on Apple’s Shortcuts Vulnerability: A Deep Dive into CVE-2024-23204
Anti-Malware Research

Details on Apple’s Shortcuts Vulnerability: A Deep Dive into CVE-2024-23204
Jubaer Alnazi JABIN

February 22, 2024

4 min read

Bookmarks

loader