|29 Aug 2010||#1|
| || |
x64 TDL3 rootkit - follow up.
We have already written in a previous blog post about the new TDL3 rootkit able to hit 64 bit Windows operating systems. We will try to check more in depth how it is actually working.
The dropper is being dropped by usual crack and porn websites, but we soon expect to see it dropped by exploit kits too, as happened to current TDL3 infections.
As already written in the first blog post, the dropper uses two different infection techniques. If the system is a 32 bit build of Windows, the dropper will use the common technique already used by old TDL3 rootkit, by loading its driver through AddPrintProvidor API trick. After the driver is loaded, the rootkit will overwrite the master boot record with its own code.
If the system is a 64 bit build of Windows, the dropper is not able to load its own unsigned driver because of Windows security checks. The dropper needs to get its driver loaded by using the MBR trick. As said in the previous blog post, the dropper infects the drive's MBR and immediately reboot the system to get its code loaded at the following system startup.
The dropper is using a non conventional - though well known - way to patch the drive's master boot record. It opens an handle to PhysicalDrive0 and then overwrites the MBR by using SCSI commands. It make uses of IOCTL_SCSI_PASS_THROUGH_DIRECT command, well documented by Microsoft in its MSDN.
x64 TDL3 rootkit - follow up
|My System Specs|
|Similar help and support threads for2: x64 TDL3 rootkit - follow up.|
|Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough||System Security|
|salvaging a TDL3 infected HDD||System Security|
|tdl3 rootkit browsers hook to directdr.com & urbtk.com||System Security|
|TDL3 Rootkit 64 Bit Driver||System Security|
|TDL3 rootkit x64 goes in the wild||News|
|Interesting 'Read' about tdl3 rootkit||Security News|
|UAC Feedback and Follow-Up||News|