New TDL4 Windows rootkit variant has resurfaced

A new variant of the TDL4 rootkit (also known as an Advanced Persistent Threat or APT) has been identified which generates domain names and also uses a command-and-control communication. Currently no binary files have been identified and categorised by antivirus vendors at either the host or network levels.

What this means is that signature-based detection technology will be unable to detect this rootkit strain but behavioural-based anti-malware solutions may well be capturing this. TDL4 is capable of targeting the Volume Boot Record (VBR) but antivirus products are unable to detect and remove it right now. So how was this new TDSS (TDL4) found?

A leading security research company detected a new pattern of DNS (Domain Name System) requests for non-existent domains. Such traffic suggests the presence on the network of computers infected with malware that uses a domain generation algorithm (DGA), Some malware creators use DGAs in order to evade network-level domain blacklists and to make their command and control infrastructure more resilient against takedown attempts.

It has been categorised as Sst.c – also known as Maxss, which is a modification of the TDL4 strain has been identified and it is spreading fast right now.

Why not check out my previous posts on TDL4? Read more about TDL4:

Safe surfing folks!

This entry was posted in anti-virus, malware, windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *