The Latest in IT Security

TDL4: Beat-root with Confidence


Sorry. If there's one thing I find even more irresistable than a good pun, it's a bad one. Lettuce get down to business.

My Russian colleagues Aleksandr Matrosov and Eugene Rodionov recently delivered a presentation on "Defeating x64: The Evolution of the TDL Rootkit" at Confidence 2011, in Krakow, and now available on our white papers page. If you follow this blog regularly, you'll know that this is a topic on which they certainly know their onions, and on this occasion they discussed how they analysed the rootkit and its implications.

Just to whet your appetite, here's what was on the menu:

  • Evolution of TDL rootkits
  • Installation on x86 vs. x64
  • TDL bootkit, or how to bypass driver signature check
  • How to debug a bootkit with Bochs emulator
  • Kernel-mode hooks
  • TDL hidden file system layout
  • Payload injection
  • TdlFsReader as a forensic tool

If the presentation is the appetiser, you'll love the main course we previously made available on the  white papers page, a paper on The Evolution of TDL: Conquering x64. And there are also some related side dishes at (they let me put my name on those, too, just to prove I'm earning my celery):

Sorry about the word salad.

ESET Senior Research Fellow

Leave a reply


THURSDAY, MAY 28, 2020

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments