Tuesday, February 16, 2010

TDL3 Creators Update Rootkit to Work With MS10-15

Via Prevx Blog -

On last November we've blogged about a new rootkit spreading around the net. That rootkit, called TDL3 or TDSS or Tidserv (there are many different names for the same malware, as often happens between various security companies) was pretty scaring because of the new way it compromised the system, by using both improved and new tricks.

After a couple months, we're here to raise again the alarm against this threat, which has been improved by their creators.

Fact is that the team of coders behind this rootkit is working hard to improve its creature. During these months they never stopped to update it, by releasing every day - sometimes even more times a day - new updated and rebuilt droppers able to evade generic detection signatures.

All TDL3 droppers have been server-side rebuilt every day during November, December, January and February. This allowed the authors to break weak signatures or badly written generic detection routines. Actually this was the only effective obstacle, otherwise only really few specific anti-rootkits are able to detect the infection when active.


On last Tuesday Microsoft released a number of Windows updates, some of them critical because they fixed a 17 years old bug. After some users updated their Windows operating systems, they got a scaring and really annoying blue screen of death.

Most of those users were angry with Microsoft, but the problem this time is not related to Microsoft. Indeed a number of the users affected by this BSOD was infected by TDL3/TDSS rootkit.

More exactly, TDL3 rootkit looks incompatible with MS10-015 update. This is the cause of the BSOD. Problem resides in the lazyness of rootkit writers when writing the driver infection routine.

When the rootkit dropper is run, the infection calculates the RVA offsets of some Windows kernel APIs and hard code them so that at every restart the portion of the rootkit loader injected inside the infected driver can use these offsets to immediately calculate the address of the wanted functions.

This worked well until the MS10-015 update, when Microsoft updated Windows NT kernel. This update changed those offset values and consequently broke the rootkit code. When the update procedure is finished, system is restarted. At system restart, the rootkit code tries to call a non-valid address and this causes the BSOD.

Good news is that TDL3 authors care about us and they released in a couple hours a new updated version of the rootkit compatible with the Microsoft patch.

Sadly the number of users affected by this BSOD is quite high and this means the rootkit infection is quickly spreading.

Moreover, a parallel version of the TDL3 rootkit is spreading too. This one is using an old infection technique, already seen in one of the first versions of TDL3. The injected dll is not anymore called tdlcmd.dll but instead z00clicker.dll.

International law police should really consider about cooperating with security vendors and try to shut down this botnet network by tracking down the gang behind it. They are active, they are able to release updates every day. They already are a serious threat that should be defeated as soon as possible.


Make no mistake, the TDL3 creators aren't looking out for us...they are only looking out for their own creation. A computer that is BSOD'ed is useless to the botnet creator and only increases the risk that the infection will be detected...and removed from the botnet.

In short, this is bad for [botnet] business.

No comments:

Post a Comment