View
44
Download
0
Embed Size (px)
Citation preview
TDL3 Rootkit Presentation
TDL3 RootkitA Sans NewsBite Analysis byMarshall Washburn
Topic: TDL3 Rootkit variant SANS NewsBites - Volume: XII, Issue: 70 (August 26, 27 & 30, 2010) TDL3 Rootkit, version 3.273Combination of MBR rootkit, Rustock.C and old Tdss variants.Stealthiest in the world.
RootkitsWikipedia A rootkit is software that enables continued privileged access to a computer, while actively hiding its presence from administrators by subverting standard operating system functionality or other applicationsHigh risk, 1-in-5 Windows machines.Root and kit
RootkitsNetsecurity.about.com A rootkit allows someone, either legitimate or malicious, to maintain command and control over a computer system, without the computer system user knowing about itTypically 32-bit problems
RootkitsRootkit are not really virusesMachine independentRemote accessAnti-virus level access
PreventionDigital Signature check for rogue driversPatchGuard prevents some changes to Windows kernel.Vista and Win7 do not allow Admin
TDL3 RootkitAlso known as Alureon rootkitMore sophisticatedVersion 3.273Targets 64-bit machines that were previously considered saferSpread through websites and exploit kits
TDL3 RootkitGains control during the boot sequenceAlters Master Boot Record. This gets around the 1st two preventions.Enacts a restart, which loads the altered MBR and catches process signals. Encrypted with ROR loop (rotate right).
TDL3 Rootkit DetailsKernel code appears as raw bytes, passes security.TDL3 encodes and decodes files on the fly, so it can pass as being a piece of the kernel code. At startup, hunts for driver object.Overwrites 824 bytes, avoiding file size checkFake driver object, captures disk I/O, hunts for kernel32.dllInfection
TDL3 RootkitHas a watchdog thread to prevent any change to the service registry keyNo one can get a handle to infected driver file(red flag)In Feb. it caused BSOD with MS10-015 updateRVA(Relative Virutal Address) offsets of Windows kernel APIs modified and use them to find functions. On the update, the values were changed. After restart, the rootkit called an invalid address
TDL3 fights backWhile this caused a BSOD, it did bring notice to a potential problemTDL3 authors updated within hours that worked with the update.Process was called tdlcmd.dll or z00clicker.dll
TDL3 RootkitFirst significant 64-bit rootkitMalware begets more malwareAnti-virus lagSecurity chess match
Cited Siteshttp://www.guidingtech.com/4467/what-is-a-rootkit/http://www.prevx.com/blog/154/TDL-rootkit-x-goes-in-the-wild.htmlhttp://www.prevx.com/blog/143/BSOD-after-MS-TDL-authors-apologize.htmlhttp://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html