Sophisticated Rootkit Overhauled

Wednesday, October 26, 2011 @ 08:10 AM gHale


One of the most sophisticated pieces of malware in the world is in the process of being rewritten and improved to hike its ability to become more resilient to antivirus detection.

“ESET researchers have been tracking the TDL4 botnet for a long time, and now we have noticed a new phase in its evolution,” said David Harley, the company’s director of malware intelligence. “Based on the analysis of its components we can say that some of those components have been rewritten from scratch (kernel-mode driver, user-mode payload) while some (specifically, some bootkit components) remain the same as in the previous versions,” he said.

RELATED STORIES
Adobe Fixes Spying Bug
Flash Hole Allows for Spycam
Mac Malware Disables Protection
ICS Threat Brewing; Target Unclear

This points toward a major change within the TDL development team or the transition of its business model toward a crimeware toolkit they can license to other cybercriminals, Harley said.

TDL, also known as TDSS, is a family of rootkits characterized by complex and innovative detection evasion techniques. Back in July, malware analysts from Kaspersky Lab called TDL version 4 the most sophisticated threat in the world and estimated the number of computers infected with it exceeds 4.5 million.

There are other things that make TDL4 stand out from the crowd of rootkits currently trolling the Internet. Its ability to infect 64-bit Windows systems, its use of the public Kad peer-to-peer network for command purposes and its Master Boot Record (MBR) safeguard component are just some of them.

However, changes are now underway to how TDL4 infects systems and ensures its hold on them. Instead of storing components within the MBR, the new variants create a hidden partition at the end of the hard disk and set it as active, ESET’s researchers said.

This ensures malicious code stored on it, including a special boot loader, gets executed before the actual operating system, and that the MBR code checked by antivirus programs for unauthorized modifications remains untouched.

TDL4 authors have also developed an advanced file system for the rogue partition, which allows the rootkit to check the integrity of components stored within.

“The malware is able to detect corruption of the files stored in the hidden file system by calculating its CRC32 checksum and comparing it with the value stored in the file header. In the event that a file is corrupted it is removed from the file system,” the ESET researchers explain.

In April, Microsoft released a Windows update that modified systems to disrupt the TDL4 infection cycle. The rootkit’s authors responded half a month later with an update of their own that bypassed the patch.



Leave a Reply

You must be logged in to post a comment.