My colleague Aleks Matrosov has come across an interesting if uncomfortable post on a Russian language forum, advertising a "Boot loader for drivers" currently under test that doesn't require a Digital Signature driver, which sounds very much like our old friend TDL4.
This metamorphic malware (each build generates a fresh binary) loads before the start of PatchGuard. It's claimed to support all versions of Microsoft Windows, since XP including Windows 7 sp1, inclusive, and supports both x86 and AMD64 (EM64T). A mere $9000, which I guess gives you some idea of how much profit there is in this kind of "costly but effective" malcode. 
More info on TDL4 on the white papers page:
The Evolution of TDL: Conquering x64
By Eugene Rodionov and Aleksandr Matrosov
Defeating x64: The Evolution of the TDL Rootkit
By Aleksandr Matrosov and Eugene Rodionov
TDSS part 1: The x64 Dollar Question
By Aleksandr Matrosov, Eugene Rodionov & David Harley
TDSS part 2: Ifs and Bots
By Aleksandr Matrosov, Eugene Rodionov & David Harley
TDSS part 3: Bootkit on the other foot
By Aleksandr Matrosov, Eugene Rodionov & David Harley
Rooting about in TDSS
By Aleksandr Matrosov & Eugene Rodionov
Article first published in Virus Bulletin, October 2010. Copyright is held by Virus Bulletin Ltd, but is made available on ESET's white papers page for personal use free of charge, by permission of Virus Bulletin.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Leave a reply
