Rootkit Hides from AV

Thursday, October 11, 2012 @ 05:10 PM gHale


There is a new variant of TDL4 that now ranks as the second most prevalent malware strain within two months since detection.

The characteristics are similar to the iteration of the TDL4 rootkit, detected by Damballa a month ago. Damballa picked it up through its network behavioral analysis software, which detected the generated domain names that this new TDL4 variant apparently uses for command-and-control communication.

RELATED STORIES
Malware Updates, Reloads
Patches for Security Solution
Enfal Malware Hits Nuke, Energy Sectors
Over Half Androids have Vulnerabilities

Since Damballa could only determine the existence of the new malware by looking for domain fluxing, antivirus has not been able to identify and categorize binary samples of the new malware operating at the host or network levels.

HitmanPro, however, detected Sst.c – also known as Maxss, a modification of the TDL4 strain and it is spreading fast.

This new variant is capable of infecting the Volume Boot Record (VBR) (also known as Partition Table), and commercial antivirus products are unable to detect it, let alone remove the malware.

“Following the success of TDL4, hackers have been able to use the rootkit to develop new variants that continue to go undetected by antivirus,” said Joseph Souren, vice president and GM Wave Systems EMEA. “The latest iteration, dubbed Sst.c, infects the Volume Boot Record.

Without embedded hardware security to detect anomalies of behavior in the boot process, it starts to cause havoc damaging the network. It also reduces the window of detection for the enterprise to contain the threat.



Leave a Reply

You must be logged in to post a comment.