The Windows 64-bit TDL4 rootkit malware threat

The TDL rootkit family Win32/Olmarik, TDSS, and Alueron have been found to be sophisticated enough to bypass the enhanced security 64-bit kernel-mode drivers for Vista and Windows 7.  So what about TDL4? TDL4 is the latest known version of the older rootkit TDSS Alureon. 

What does this rootkit do? These rootkits affect the master boot record of a PC (often referred to as a bootkit) and can be very difficult to remove even if detected by antivirus software. TDL1-3 are easily detected and removed – TDL4 appears to be causing some concerns even today, some 6 months ago when it was identified in the wild. The TDL4 rootkit is designed to bypass the Windows kernel-mode code signing policy on 64-bit systems (as well as disable debuggers) and block Windows Updates :(. The policy is activated by a component called Code Integrity, which is designed to detect if an unsigned driver is being loaded into the kernel-mode or if a system binary file has been modified by malicious means.

TIP: Did you know that you can disallow unsigned executables from running on Windows XP by amending a registry setting.

TIP: Make sure you have Windows Update KB2506014 installed. This will kill the TDL4 rootkit before it can wreak system havoc.

The TDL/TDSS rookits are in a continuous state of development, so if you are unfortunate enough to find you are infected with TDL4, the only option you will have is to boot the Windows OS from a Windows repair CD.

Safe surfing folks!
Julian

This entry was posted in anti-virus, malware, windows and tagged , . Bookmark the permalink.

4 Responses to The Windows 64-bit TDL4 rootkit malware threat

  1. Julian says:

    I’ve been asked on http://www.icttf.org/blogs/797/74/the-windows-64-bit-tdl4-rootkit about why this rootkit doesn’t affect 32-bit Windows systems. Very few rootkits manage to infect 64-bit Windows systems. Microsoft insists all drivers running under the 64 bit (x64) version of Windows Vista and Windows 7 be digitally signed by Microsoft’s root certificate. Unsigned drivers are not supported and cannot be installed on 64-bit (unlike 32-bit) which is why the 64-bit TDL4 rootkit is so interesting.

  2. Julian says:

    30/06/11 update: If you are infected with the TDL4 bootkits, here is some further reading: http://public.avast.com/~gmerek/aswMBR.exe
    http://support.kaspersky.com/viruses/solutions?qid=208280748

  3. danielb says:

    >> The TDL/TDSS rookits are in a continuous state of development, so if you are unfortunate enough to find you are infected with TDL4, the only option you will have is to boot the Windows OS from a Windows repair CD.

    This statement makes no sense…why does the fact that the tdl rootkit is “under development” have any bearing on whether you’re particular variant can be removed by the likes of malwarebytes?

  4. Julian says:

    #Danielb# I made a subjective comment based on what I knew from my AV vendor colleagues. MBR rootkits by their very nature go undetected by AV engines (some for days), so if I am understanding your question – MalwareBytes in this instance (and if a user is not using it for proactive detection i.e. only remediation), can only remove a ‘variant’ by rebooting Windows from a repair CD.

Leave a Reply

Your email address will not be published. Required fields are marked *