Feeds

World's stealthiest rootkit gets a makeover

Now, TDL4 harder than ever to eradicate

SANS - Survey on application security programs

One of the world's more advanced pieces of malware has just gotten a makeover that could make it even more resistant to takedown efforts, security researchers said.

An analysis of recent updates to the TDL4 rootkit, which is also known as TDSS and Alureon, shows that components including its kernel-mode driver and user-mode payload have been rewritten from scratch, researchers from antivirus provider ESET blogged earlier this week. The code overhaul may mean that operators of TDL4, which is used to force keyloggers, adware, and other malicious programs onto compromised machines, may have started providing services to other crimeware groups.

The makeover includes changes to the way TDL4 attempts to remain undetected by antivirus programs and other defenses. Newer versions create a hidden partition at the end of the infected machine's hard disk and set it to active. This ensures that malicious code stashed in it is executed before the Windows operating system is run.

It also protects the code from being removed. The partition is equipped with an advanced file system that checks the integrity of TDL4 components. If any of the files are corrupted, they're removed.

Not that TDL4 wasn't already among the most sophisticated pieces of crimeware available. When it emerged in 2008, it was virtually undetectable by most AV programs, and its use of low-level instructions made it hard for researchers to conduct reconnaissance on it. Its built-in encryption prevents network monitoring tools from monitoring communications sent between infected PCs and command and control servers.

It was among the first rootkits to infect 64-bit versions of Windows by bypassing the OS's kernel mode code signing policy. That protection was introduced into 64-bit versions of Windows and allows drivers to be installed only when they have been digitally signed by a trusted source. In June, researchers at AV provider Kaspersky said TDL4 had infected more than 4.5 million PCs in just three months.

TDL4 also has the ability to communicate over the Kad peer-to-peer network and to infect a the master boot record of a compromised PC's hard drive.

The latest changes suggest that the relentless innovation of those developing TDL4 shows no signs of slowing. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.