Friday, August 27, 2010

TDL3 Rootkit x64 Goes in the Wild

Via Prevx Blog -

We talked about TDL3 rootkit some months ago as the most advanced rootkit ever seen in the wild. Well, the last version of TDL3 was released months ago and documented as build 3.273. After that, no updates have been released to the rootkit driver. This was pretty suspicious, more so if you've been used to seeing rebuild versions of TDL3 rootkit every few days to defeat security software.

Obviously, the rootkit was stable and it is currently running without any major bug on every 32 bit Windows operating system. Still though, the dropper needed administrator rights to install the infection in the system. Anyway, the team behind TDL3 rootkit was just too quiet to not expect something new.

They actually built a nice gift for every security vendor, because TDL3 has been updated and this time this is a major update; the rootkit is now able to infect 64 bit versions of Microsoft Windows operating system.


But this TDL3 release can be considered as the first x64 compatible kernel mode rootkit infection in the wild. Our Prevx community spotted the infecting dropper more than 9 days ago and we are now seeing new samples reported every day. This means the infection is spreading on the web, by using both porn websites and exploit kits.

Speaking about the infection itself, we are still analyzing the infection. Though at first glance we don't feel it could be considered as a brand new TDL3.

It looks like someone got TDL3 sources and added bootkit infection to it. This is because the TDL3 rootkit is now targetting the Master Boot Record, as MBR rootkit did years ago and as Whistler Bootkit is currently doing.

To bypass both Kernel Patch Protection and Driver Signature verification, the rootkit is patching the hard drive's master boot record so that it can intercept Windows startup routines, owns it, and load its driver. Both Windows security mechanisms are bypassed.


Even the rootkit build version changed from 3.273 to 0.02. It looks like a beta build. We say this because from our first internal tests, the rootkit didn't always fully work.

Our current idea is that TDL3 sources could have been sold and the new team who owns them has started adapting the rootkit to x64 platform by adding to it a bootkit infection technique already showed by Whistler bootkit and Stoned v2 bootkit.

What is more important is that with this new TDL3 release a new era is officially dawned; the era of x64 rootkits. How this develops, we're not sure.

However, the authors of these attacks have not been resting. Just under a month ago, we became aware of a new variant of Alureon that infects the Master Boot Record (MBR) instead of an infected driver. While this new variant did not affect 64-bit machines, it had an inert file called ldr64 as part of its virtual file system. More recently, we discovered an updated variant that successfully infected 64-bit machines running Windows Vista or higher, while rendering 64-bit Windows XP and Server 2003 machines unbootable.

No comments:

Post a Comment