TDL3 Rootkit Presentation

TDL3 RootkitA Sans NewsBite Analysis byMarshall Washburn

Topic: TDL3 Rootkit variant SANS NewsBites - Volume: XII, Issue: 70 (August 26, 27 & 30, 2010) TDL3 Rootkit, version 3.273Combination of MBR rootkit, Rustock.C and old Tdss variants.Stealthiest in the world.

RootkitsWikipedia A rootkit is software that enables continued privileged access to a computer, while actively hiding its presence from administrators by subverting standard operating system functionality or other applicationsHigh risk, 1-in-5 Windows machines.Root and kit

RootkitsNetsecurity.about.com A rootkit allows someone, either legitimate or malicious, to maintain command and control over a computer system, without the computer system user knowing about itTypically 32-bit problems

RootkitsRootkit are not really virusesMachine independentRemote accessAnti-virus level access

PreventionDigital Signature check for rogue driversPatchGuard prevents some changes to Windows kernel.Vista and Win7 do not allow Admin

TDL3 RootkitAlso known as Alureon rootkitMore sophisticatedVersion 3.273Targets 64-bit machines that were previously considered saferSpread through websites and exploit kits

TDL3 RootkitGains control during the boot sequenceAlters Master Boot Record. This gets around the 1st two preventions.Enacts a restart, which loads the altered MBR and catches process signals. Encrypted with ROR loop (rotate right).

TDL3 Rootkit DetailsKernel code appears as raw bytes, passes security.TDL3 encodes and decodes files on the fly, so it can pass as being a piece of the kernel code. At startup, hunts for driver object.Overwrites 824 bytes, avoiding file size checkFake driver object, captures disk I/O, hunts for kernel32.dllInfection

TDL3 RootkitHas a watchdog thread to prevent any change to the service registry keyNo one can get a handle to infected driver file(red flag)In Feb. it caused BSOD with MS10-015 updateRVA(Relative Virutal Address) offsets of Windows kernel APIs modified and use them to find functions. On the update, the values were changed. After restart, the rootkit called an invalid address

TDL3 fights backWhile this caused a BSOD, it did bring notice to a potential problemTDL3 authors updated within hours that worked with the update.Process was called tdlcmd.dll or z00clicker.dll

TDL3 RootkitFirst significant 64-bit rootkitMalware begets more malwareAnti-virus lagSecurity chess match

Cited Siteshttp://www.guidingtech.com/4467/what-is-a-rootkit/http://www.prevx.com/blog/154/TDL-rootkit-x-goes-in-the-wild.htmlhttp://www.prevx.com/blog/143/BSOD-after-MS-TDL-authors-apologize.htmlhttp://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html