Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: x64 TDL3 rootkit - follow up.

29 Aug 2010   #1

Win 7 Ultimate 64-bit. SP1.
x64 TDL3 rootkit - follow up.


We have already written in a previous blog post about the new TDL3 rootkit able to hit 64 bit Windows operating systems. We will try to check more in depth how it is actually working.

The dropper is being dropped by usual crack and porn websites, but we soon expect to see it dropped by exploit kits too, as happened to current TDL3 infections.

As already written in the first blog post, the dropper uses two different infection techniques. If the system is a 32 bit build of Windows, the dropper will use the common technique already used by old TDL3 rootkit, by loading its driver through AddPrintProvidor API trick. After the driver is loaded, the rootkit will overwrite the master boot record with its own code.

If the system is a 64 bit build of Windows, the dropper is not able to load its own unsigned driver because of Windows security checks. The dropper needs to get its driver loaded by using the MBR trick. As said in the previous blog post, the dropper infects the drive's MBR and immediately reboot the system to get its code loaded at the following system startup.

The dropper is using a non conventional - though well known - way to patch the drive's master boot record. It opens an handle to PhysicalDrive0 and then overwrites the MBR by using SCSI commands. It make uses of IOCTL_SCSI_PASS_THROUGH_DIRECT command, well documented by Microsoft in its MSDN.

Source -
x64 TDL3 rootkit - follow up

My System SpecsSystem Spec

 x64 TDL3 rootkit - follow up.

Thread Tools

Similar help and support threads
Thread Forum
Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough
I would really appreciate some help from someone with experience with this matter. Introduction: Origin: False sense of security by AVG (updated), Windows kept updated, Browser settings, firewall, and self system maintainence. Presentation: Installed a 2nd HDD (Exclusively for daily...
System Security
tdl3 rootkit browsers hook to &
:devil:this is a 3rd generation tdl rootkit (tdl3):devil: for 1 week i fought with this nasty wee rootkit, tried loads of online scanners rootkit scanners nothin helped, then i searched for .dlls viewed by date found a couple which lokked shady googled em and sure enuff malware, after deleting...
System Security
TDL3 Rootkit 64 Bit Driver • View topic - Rootkit TDL 3 (alias TDSS, Alureon)
System Security
TDL3 rootkit x64 goes in the wild
More - TDL3 rootkit x64 goes in the wild

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 22:43.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App