TDL3 rootkit x64 goes in the wild

JMH

Banned
Local time
11:50 AM
Messages
6,448
It took some time but now x64 Windows operating systems are officially the new target of rootkits.

We talked about TDL3 rootkit some months ago as the most advanced rootkit ever seen in the wild. Well, the last version of TDL3 was released months ago and documented as build 3.273. After that, no updates have been released to the rootkit driver. This was pretty suspicious, more so if you've been used to seeing rebuild versions of TDL3 rootkit every few days to defeat security software.

Obviously, the rootkit was stable and it is currently running without any major bug on every 32 bit Windows operating system. Still though, the dropper needed administrator rights to install the infection in the system. Anyway, the team behind TDL3 rootkit was just too quiet to not expect something new.

They actually built a nice gift for every security vendor, because TDL3 has been updated and this time this is a major update; the rootkit is now able to infect 64 bit versions of Microsoft Windows operating system.

Why this is a worrying and important news? x64 versions of Windows are considered much more secure than their respective 32 bit versions because of some advanced security features which are intended to make it more difficult getting into kernel mode and hooking the Windows's kernel.

Windows Vista 64 bit and Windows 7 64 don't allow every driver to get into kernel memory region due to a very strict digital signature check. If the driver has not been digitally signed, Windows won't allow it to be loaded. This first technique allowed Windows to block every kernel mode rootkit from being loaded, because malwares aren't usually signed - at least, they shouldn't be.

The second technique used by Microsoft Windows to prevent kernel mode drivers from alterating Windows kernel behavior is the infamous Kernel Patch Protection, also known as PatchGuard. This security routine blocks every kernel mode driver from alterating sensitive areas of the Windows kernel - e.g. SSDT, IDT, kernel code.
More -
TDL3 rootkit x64 goes in the wild
 

My Computer My Computer

At a glance

Win 7 Ultimate 64-bit. SP1.Intel i7 -720QM.[1.6GHz Turbo Boost 2.8GHz. 6...8 DDR 3 RAM. 1066MHZATI 1024 MB. DDR3. Radeon HD5650
Computer Manufacturer/Model Number
LAPTOP. HP Pavilion dv7-4010TX .
OS
Win 7 Ultimate 64-bit. SP1.
CPU
Intel i7 -720QM.[1.6GHz Turbo Boost 2.8GHz. 6MB Cache.]
Memory
8 DDR 3 RAM. 1066MHZ
Graphics Card(s)
ATI 1024 MB. DDR3. Radeon HD5650
Monitor(s) Displays
17.3" High Definition Brightview LCD. LED Backlit.
Screen Resolution
1600 x 900.
Hard Drives
640GB
Case
Laptop / notebook.
Mouse
Logitech Anywhere mouse. MX.
Internet Speed
ADSL [ but too slow ]
Just like linux is (was?) safe. When something becomes very popular, it's fair game for nutcases.
 

My Computer My Computer

At a glance

Systems 1 and 2: Windows 7 Enterprise x64, Wi...System 1: i7 [email protected], System 2: AMD FX-41...System 1: 8GB System 2: 8GBSystem 1: ATI FirePro V4800 System 2: Radeon ...
Computer Manufacturer/Model Number
Dell and Custom
OS
Systems 1 and 2: Windows 7 Enterprise x64, Win 8 Developer
CPU
System 1: i7 [email protected], System 2: AMD FX-4100 Zambezi 3.6G
Motherboard
System 1:Dell 06NWYK System 2: ASUS M5A97 AM3+
Memory
System 1: 8GB System 2: 8GB
Graphics Card(s)
System 1: ATI FirePro V4800 System 2: Radeon HD 6850
Sound Card
System 1: onboard System 2: onboard
Monitor(s) Displays
System1: Viewsonic HDMI 24"
Screen Resolution
System 1: 1920x1080 System 2: 1920x1080
Hard Drives
System 1: Mirrored .5B drives System 2: Seagate Barracuda ST1000DM003 1TB 7200 RPM 64MB Cache SATA 6.0Gb/s
Case
System 1: Dell System 2: Cooler Master
Internet Speed
10 MBPS
Thanks for the post Jan:)

Does anyone know whether Sophos Anti-Rootkit wil spot this and deal with it?
 

My Computer My Computer

At a glance

Windows 7 Home Premium 64 biti7 [email protected]2x4GB Corsair Vegeance DDR3XFX GTX 260 Black Edition
Computer Manufacturer/Model Number
The Monolith. 3.1
OS
Windows 7 Home Premium 64 bit
CPU
i7 [email protected]
Motherboard
Gigabyte Z77-D3H
Memory
2x4GB Corsair Vegeance DDR3
Graphics Card(s)
XFX GTX 260 Black Edition
Sound Card
none-through large stereo hi fi
Monitor(s) Displays
Croosover 27MDP LED IPS Dell 2408 WFP
Screen Resolution
2560x1440 1920x1200
Hard Drives
1x Samsung 840Pro 128GB SSD
1x Samsung Spinpoint F1 1TB
PSU
Corsair AX 850 Watt
Case
Cooler Master ACTS 840
Cooling
Be Quiet! Dark Rock Pro
Keyboard
Enermax Aurora
Mouse
Logitech Ballmouse
Internet Speed
20MBPS
Back
Top