We have already written in a previous blog post about the new TDL3 rootkit able to hit 64 bit Windows operating systems. We will try to check more in depth how it is actually working.

The dropper is being dropped by usual crack and porn websites, but we soon expect to see it dropped by exploit kits too, as happened to current TDL3 infections.

As already written in the first blog post, the dropper uses two different infection techniques. If the system is a 32 bit build of Windows, the dropper will use the common technique already used by old TDL3 rootkit, by loading its driver through AddPrintProvidor API trick. After the driver is loaded, the rootkit will overwrite the master boot record with its own code.

If the system is a 64 bit build of Windows, the dropper is not able to load its own unsigned driver because of Windows security checks. The dropper needs to get its driver loaded by using the MBR trick. As said in the previous blog post, the dropper infects the drive's MBR and immediately reboot the system to get its code loaded at the following system startup.

The dropper is using a non conventional - though well known - way to patch the drive's master boot record. It opens an handle to PhysicalDrive0 and then overwrites the MBR by using SCSI commands. It make uses of IOCTL_SCSI_PASS_THROUGH_DIRECT command, well documented by Microsoft in its MSDN.

Source -
x64 TDL3 rootkit - follow up

Posted By: JMH
29 Aug 2010