Notorious TDL4 rootkit

12 years ago

Notorious TDL4 rootkit retooled to better withstand antivirus programs

Experts from security vendor ESET warn that TDL4, one of the most sophisticated pieces of malware in the world, is being rewritten and improved for increased resilience to antivirus detection.

There are many things that make TDL4 stand out from the crowd of rootkits currently plaguing the Internet. Its ability to infect 64-bit Windows systems, its use of the public Kad peer-to-peer network for command purposes and its Master Boot Record (MBR) safeguard component are just some of them.

In April, Microsoft released a Windows update that modified systems to disrupt the TDL4 infection cycle. The rootkit's authors responded half a month later with an update of their own that bypassed the patch.

This kind of determination to keep the malware going suggests that its return on investment is significant. The code quality and the sophisticated techniques are certainly

indicative of professional software development.

http://www.infoworld.com/d/security/notorious-tdl4-rootkit-retooled-better-withstand-antivirus-programs-176821?source=rss_security

Sort by:Oldest

Comments (2)

zep516
Original Author
12 years ago
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-26 16:16:43
-----------------------------
16:16:43.484 OS Version: Windows 5.1.2600 Service Pack 3
16:16:43.484 Number of processors: 2 586 0x170A
16:16:43.484 ComputerName: UserName: lov
16:16:44.390 Initialize success
16:16:57.531 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
16:16:57.531 Disk 0 Vendor: WDC_WD25 11.0 Size: 238475MB BusType: 3
16:16:57.531 Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD2500BEVT-75ZCT2___________________11.01A11#4&3c2934d&0amp;0.0.0#(53f56307-b6bf-11d0-94f2-00a0c91efb8b) not found
16:16:57.562 Disk 0 MBR read successfully
16:16:57.562 Disk 0 MBR scan
16:16:57.578 Disk 0 TDL4@MBR code has been found
16:16:57.578 Disk 0 MBR hidden
16:16:57.578 Disk 0 MBR [TDL4] **ROOTKIT**
16:16:57.578 Disk 0 trace - called modules:
16:16:57.578 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8ae1f439]16:16:57.578 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8adb0ab8]
16:16:57.578 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8adff4b8]
16:16:57.578 \Driver\iaStor[0x8adae458] -> IRP_MJ_CREATE -> 0x8ae1f439
16:16:57.578 Scan finished successfully

That's a special tool from avast called aswMBR.exe as shown above and it finds it as shown. Another tool will be employed to remove it such as TDSS Killer.
ravencajun Zone 8b TX
12 years ago
it seems every day they get worse and are harder and harder to find and destroy.
I am happy that the AV companies are trying to stay on it like they are.