Rootkit works on X64 !

Hello,

Rather easily, check out cloneranger's link in the first post to keep up with new tdl3.

Btw x64,
atm
Hitman Pro detects, kudos erik
tdsskiller does not
SAS does not

 

No person I know has ever said 64 bit OS's were unbreakable. This rootkit is a bypass of PatchGuard and PatchGuard has very little to do with a 64 bit OS (for some unknown reason, M$ only decided to apply PatchGuard in 64 bit versions of their OS).

Wrong. Some things can be proven, mathematically, to be unbreakable. The most salient example is probably the One Time Pad, aka Vernam cipher. The unbreakable strength of a OTP was proven by the greatest information theorist of the 20th century, Claude Shannon (who also gave us digital communication), and also proved by the Soviets at about the same time.

And other things, while not provably unbreakable, probably are practically unbreakable (things like TripleDES or AES and other modern block ciphers).

 

Hitman Pro 3.5.6 build 112 BETA

• Added removal of TDL3 64-bit rootkit

64-bit: http://dl.surfright.nl/HitmanPro35beta_x64.exe
32-bit: http://dl.surfright.nl/HitmanPro35beta.exe

 

Windows 7 (x64) Test Box w/latest TDL3 MBR dropper

1. Hitman Pro 3.5.6 build 112 BETA - MBR repair worked well. (Thank you)
2. Latest Kaspersky TDSSKiller - MBR repair worked well. (Thank you as well)

 

From Alureon Evolves to 64 Bit:

 

TDSSKiller should now work on x64. They have last updated their utility on Aug 27.

 

TDSSKiller runs on 64-bit, but it doesn't remove the 64-bit TDL3 rootkit, yet.

 

Thanks erikloman for clarification. Therefore, only Hitman Pro supports removal of TDL3 64-Bit rootkit. Keep up good work

 

Do any AVs currently detect this while it's active?

 

UAC/LUA/SRP FTW!!

Its so basic...
someone should just improve the user-friendliness/convenience on running under these environment...

 

My testing was on 32-bit Win 7. The x64 workable tool is forthcoming.

 

We have done a series of YouTube video's a few months ago to see which AV was able to detect a TDL3 infection. We first infected the computer (to simulate a missed dropper) and then installed the AV to see whether it was able to detect the TDL3 rootkit infection.

You can see the video's here

They are all on our channel here.

Spoiler alert: All AVs fail to even detect the infection (only 1 or 2 were able to detect but failed to remove). AV's are oriented towards protecting the computer (blocking droppers). But since droppers are changing rapidly, AV's frequently fail to detect zero-day droppers as you can see from these statistics where MSRT cleaned over 1.2 million computers! (Note: Microsoft started noticing the scale of TDL3 after it interfered with a security update).

From Hitman Pro cloud statistics we see that 31% of daily infections are currently TDL3. 67% of those infected computers are running an up-to-date AV (Windows Security Center reported a healthy installed AV during scan).

Most vendors have a malware top 20. And most top 20's aren't listing either Alureon, TDSS, Olmarik or Tidserv (aliases for TDL3). If Microsoft can detect and clean 1.2 million computers, how can TDL3 be not in the top 20?

The absence of TDL3 in the top 20's is a clear sign that most AV's are not detecting TDL3 rootkit on infected computers (AV's do detect most TDL3 droppers; zero-day is a problem). The video's we did underline that: rootkits are a problem for AV's.

OT: What is with the YouTube links not being properly parsed?

 

Good morning from California, erikloman,

Do you have any idea how many of the infections come from remote code execution exploits, versus manually installing something that happens to be infected?

thanks,

rich

 

I wish we had that kind of detailed information but Hitman Pro is on-demand only so we don't see how it got on the system.

From what I can tell is that TDL3 is pushed by all means: spam, PDF/Java exploits, drive-by-downloads, fake websites (looking like an AV), downloads cracks/keygens on websites, torrents, newsgroups, etc.

Once you have TDL3 it reels in additional malware (usually rogues/fake AV). TDL3 authors get their money from stuff that gets installed.

The additional malware is usually detected by an installed AV but the TDL3 rootkit remains. So the AV keeps warning users on a regular basis.

Users then start looking for a solution and end up using software like TDSSKiller or Hitman Pro. Where TDSSKiller (or any other TDL3 specific tool) only kills TDL3. Hitman Pro kills TDL3 and all the additional malware it finds.

 

Thanks for those, good to know. Some products might have improved since the making of those videos though, but they still show that only a few AVs can detect TDL3.

 

Thanks!

----
rich

 

Amazing

Exactly !

Sure are, even though a few years back quite a number of people said they never would be

It prevents click through payments from here to there

 

ESET SysRescue
http://www.imageup.ru/img105/snimok415866.png
Kaspersky KIS 2011 VS rootkit Mebroot Stoned test.wmv
http://www.youtube.com/watch?v=-wAjCT6L_tc
http://www.youtube.com/user/nodikess

 

erikloman, thanks for the stats!

Isnt there a way for TDS3 or other malware to be such that it is not detectable by any anti-malware software? When it gets installed, it has root privileges.., so it can do whatever it wants...

 

Detection for the presence of all TDL3 versions, has always been trivial via user mode memory scanning - the same method works for them all.

 

So there are rootkits that work on x64...but doesnt that still imply that using an x64 OS still makes you considerably less likely to get infected by a rootkit?

There arent many out there that work on x64 right? so in practical terms most users are quite safe? or am I wrong

 

Alureon: The First In The Wild 64-Bit Windows Rootkit

http://www.virusbtn.com/pdf/conference_slides/2010/Johnson-VB2010.pdf

Actually published by MS !

 

So how does it bypass patchguard? Does it rely on a bug or is it a problem with the design and implementation of patchguard itself?
Given that according to wikipedia "Microsoft has stated that they are committed to remove any flaws that allow KPP to be bypassed as part of its standard Security Response Center process" I'd expect a security fix like last patch Tuesday. Any CVE I could track?
Thank you.

 

@ katio

Re Patchguard

You might like to have a read in here - http://www.kernelmode.info/forum/search.php?sid=4dd11597d39d93c94634699c63d84f0e

Click on the dark blue title links for expanded info etc

 

Quoting Wikipedia:

TDL3/4 rootkit bypasses Patchguard by design, because it doesn't patch Windows kernel in any way. It does patch miniport driver