1 min read

The TDL3 Rootkit - Out of Steam?

admin

May 27, 2010

The TDL3 Rootkit - Out of Steam?

Development may be slowing down, but TDL3, possibly the biggest rootkit threat of the year, is not entirely static and in fact seems to have added self-defense features recently.

Are the creators of infamous TDL3 rootkit running out of steam? Well, it’s certainly matured, at least according to BD researcher Marius Tivadar, who has been following the evolution of this nasty bit of malware in the past few months.

“The updates came in fast at first, with a new version twice a week, mostly adding new tricks to avoid detection. The flow seems to have slowed down now though. Maybe they ran out of ideas” Marius said.

Development may be slowing down, but TDL3, possibly the biggest rootkit threat of the year, is not entirely static and in fact seems to have added self- defense features recently. The latest version includes a memory self-check (if TDL3 finds modifications they can be reverted from a clean copy) and a new way to protect the registry key it sets against changes.

The dropper component writing into a driver file on-disk was and still is the usual TDL3 method of gaining access to the kernel – the driver is loaded at boot time and executed, along with the malicious stub code.

A miniport driver such as atapi.sys was a logical (and the most common) choice for infection, as the rootki needs low-level access to the hard disk(s) to cheat antivirus scanners and the operating system into believing that it doesn’t exist. Recent versions, however, infect a random driver instead and patch the miniport driver in-memory, once loaded, which further complicates detection.

A complex series of steps (the exact “recipe” varies between minor versions, making each a unique puzzle) then leads to the rootkit stub being loaded. In turn, it loads the rest of the rootkit body, from an encrypted location on disk. The encrypted storage is no flat file either, but rather an entire filesystem, structured so as to allow the addition of new payloads.

Once installed and run, TDL3 injects its malware payload into a usermode process. The payload is usually a spammer trojan, but TDL3 can also be directed to download other malware.

tags


Author



Right now

Top posts

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

July 21, 2021

9 min read
How We Tracked a Threat Group Running an Active Cryptojacking Campaign

How We Tracked a Threat Group Running an Active Cryptojacking Campaign

July 14, 2021

10 min read
A Note from the Bitdefender Labs Team on Ransomware and Decryptors

A Note from the Bitdefender Labs Team on Ransomware and Decryptors

May 26, 2021

2 min read
New Nebulae Backdoor Linked with the NAIKON Group

New Nebulae Backdoor Linked with the NAIKON Group

April 28, 2021

1 min read
Good riddance, GandCrab! We’re still fixing the mess you left behind.

Good riddance, GandCrab! We’re still fixing the mess you left behind.

June 17, 2019

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
Bogdan BOTEZATUVictor VRABIE
9 min read
Debugging MosaicLoader, One Step at a Time Debugging MosaicLoader, One Step at a Time
Janos Gergo SZELESBogdan BOTEZATU
1 min read
How We Tracked a Threat Group Running an Active Cryptojacking Campaign How We Tracked a Threat Group Running an Active Cryptojacking Campaign
Bitdefender

July 14, 2021

10 min read