TDL4 rootkit now stronger than before

http://www.prevx.com/blog/172/TDL-rootkit-is-coming-back-stronger-than-before.html

 

Thanks for sharing.

 

Time to get another patch out MS, our 64bit immunity was short lived.

 

TDL4 bootkit reinstates 64-bit infection capability

http://hitmanpro.wordpress.com/2011/05/02/tdl4-bootkit-reinstates-64-bit-infection-capability/

 

Still vulnerable though, to a variety of methods.

 

Well, the dropper first has to execute before it can install the rootkit. From an earlier blog Marco refers to:

He also mentions that the droppers have been seen in exploit kits.

I found this one, the site uses the Black Hole Kit, and it serves up Java and PDF exploits.
The random long file name 0.###...exe is similar to TDL4 filenames I've seen in some of the hijack forums, although I can't be sure.

It doesn't really matter, though - - an executable is an executable.



Now, exploit kit stuff is usually triggered by javascript, and this is no different. Some snippets of the code:



So, if my javascript is white listed per site, and plugins disabled, neither of those exploits can trigger,
and the page just sits there doing nothing:



I mention this because the tendency is to focus mainly on the impressive sophistication of today's malware,
rather than on the (usally simple) preventative measures!

Marco refers to another attack vector in a previous blog:

No further comment on that is needed!

regards,

-rich

 

Thanks for read

 

This TDL4 rootkit sounds bad, anyone know how the detection rate of this rootkit is? Any MD5 hashes of the file?

 

At kernelmode.info, you can find some VirusTotal dll scan results, including hashes.
Their 'Malware thread; Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)' --http://www.kernelmode.info/forum/viewtopic.php?f=16&t=19&start=400--

 

"unfortunately", the site that Rmus refers to is not functioning anymore so i could not play with the virus.

 

Mmm probably true.

I suppose users unfortunately getting infected with tdl highlights the failure, possibly combined with a lack of knowledge of their protection methods.