The TDL rootkit family Win32/Olmarik, TDSS, and Alueron have been found to be sophisticated enough to bypass the enhanced security 64-bit kernel-mode drivers for Vista and Windows 7. So what about TDL4? TDL4 is the latest known version of the older rootkit TDSS Alureon.
What does this rootkit do? These rootkits affect the master boot record of a PC (often referred to as a bootkit) and can be very difficult to remove even if detected by antivirus software. TDL1-3 are easily detected and removed – TDL4 appears to be causing some concerns even today, some 6 months ago when it was identified in the wild. The TDL4 rootkit is designed to bypass the Windows kernel-mode code signing policy on 64-bit systems (as well as disable debuggers) and block Windows Updates :(. The policy is activated by a component called Code Integrity, which is designed to detect if an unsigned driver is being loaded into the kernel-mode or if a system binary file has been modified by malicious means.
TIP: Did you know that you can disallow unsigned executables from running on Windows XP by amending a registry setting.
TIP: Make sure you have Windows Update KB2506014 installed. This will kill the TDL4 rootkit before it can wreak system havoc.
The TDL/TDSS rookits are in a continuous state of development, so if you are unfortunate enough to find you are infected with TDL4, the only option you will have is to boot the Windows OS from a Windows repair CD.
Safe surfing folks!