Sunday, May 1, 2011

TDL4 Rootkit is Coming Back Stronger than Before

Via Prevx Blog -

After some months since the last blog post about the TDL rootkit, we have to come back and write again about this nasty threat that is targetting both 32 bit and 64 bit versions of the Windows operating system, succesfully bypassing all the security countermeasures implemented in the 64 bit version of Windows that should prevent the loading of unsigned drivers and every kind of patch to the Windows kernel.


Here it is the behavior exploited by TDL4 until last April, a design flaw that allowed it to effectively overwrite kdcom.dll module with its own module used to load the rootkit driver and disable kernel debugging. Then, after the rootkit driver has been loaded, the rootkit prevents Windows from actually booting in WinPE mode.


This trick allowed TDL4 rootkit to succesfully infect x64 versions of Windows. Until this April, when Microsoft silently released the KB2506014 patch which is described by the company itself as follows: "Microsoft is announcing the availability of an update to winload.exe to address an issue in driver signing enforcement. While this is not an issue that would require a security update, this update addresses a method by which unsigned drivers could be loaded by winload.exe. This technique is often utilized by malware to stay resident on a system after the initial infection".


TDL4 authors didn't wait too long and just released an update to its TDL4 rootkit code, making a number of important changes that are able to bypass the patch issued by Microsoft and a number of TDL rootkit scanners available online. Looks like this new TDL4 dropper is still in development stage because there are some bugs in the dropper code.

This new release of TDL4 rootkit implements specific code to disable the driver signing security routine. As written before, since the last Microsoft patch Winload.exe is checking the digital signature of the kernel and its relative modules. If the integrity check doesn't succeed - i.e. with the patched rootkit's kdcom.dll - the security routine returns the status error C0000428, which is STATUS_INVALID_IMAGE_HASH. If the routine returns this error, winload.exe stops the system bootup and shows a security error.

To bypass this security check, the rootkit now intercepts these digital signature check routines and patches them so that instead of returning the NTSTATUS error C0000428, they'll return the NTSTATUS error 0000C428, which is a non-existant error code. Winload doesn't recognize such error and goes ahead with the system bootup, effectively loading an unsigned tampered module. To intercept kdcom.dll load, TDL4 rootkit has been updated to the new kdcom's resource directory size value 0x110, neutralizing the Microsoft patch.


To avoid being detected by some specific online public TDL4 rootkit scanners, the TDL4 team updated their miniport disk driver hook, changing how the rootkit devices are linked to the rootkit driver and the real hooked miniport driver. As we already know, TDL4 rootkit steals the driver object of the last miniport driver and hijacks the disk driver's DR0 device, attaching it to its own filtering device. By walking the rootkit driver's chain of devices, it was trivial to get a pointer to the real hooked miniport driver object. This geometric structure helped many tools in spotting the presence of the TDL rootkit active in the system. Current TDL4 release removes every reference to the hooked miniport driver object, bypassing many antirootkit TDL4 detection routines.

The team behind TDL4 rootkit is still alive and is working quietly to keep its creature up to date and always able to bypass all known security restrictions. Even if the rootkit development cycle drastically changed and slowed down since the TDL3 period - mostly because of a major change in the development team - who is handling the rootkit development is still trying to keep the malware alive and effective against security software. Sadly the first x64 compatible Windows kernel mode rootkit has not yet disappeared, it is coming back stronger than before.

No comments:

Post a Comment