Sorry. If there's one thing I find even more irresistable than a good pun, it's a bad one. Lettuce get down to business.
My Russian colleagues Aleksandr Matrosov and Eugene Rodionov recently delivered a presentation on "Defeating x64: The Evolution of the TDL Rootkit" at Confidence 2011, in Krakow, and now available on our white papers page. If you follow this blog regularly, you'll know that this is a topic on which they certainly know their onions, and on this occasion they discussed how they analysed the rootkit and its implications.
Just to whet your appetite, here's what was on the menu:
- Evolution of TDL rootkits
- Installation on x86 vs. x64
- TDL bootkit, or how to bypass driver signature check
- How to debug a bootkit with Bochs emulator
- Kernel-mode hooks
- TDL hidden file system layout
- Payload injection
- TdlFsReader as a forensic tool
If the presentation is the appetiser, you'll love the main course we previously made available on the white papers page, a paper on The Evolution of TDL: Conquering x64. And there are also some related side dishes at http://resources.infosecinstute.com (they let me put my name on those, too, just to prove I'm earning my celery):
- TDSS part 1: The x64 Dollar Question
- TDSS part 3: Bootkit on the other foot
Sorry about the word salad.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Leave a reply