The Latest in IT Security

TDL4: new bootkits stepping out


My colleague Aleks Matrosov has come across an interesting if uncomfortable post on a Russian language forum, advertising a "Boot loader for drivers" currently under test that doesn't require a Digital Signature driver, which sounds very much like our old friend TDL4.

This metamorphic malware (each build generates a fresh binary) loads before the start of PatchGuard. It's claimed to  support all versions of Microsoft Windows, since XP including Windows 7 sp1, inclusive, and supports both x86 and AMD64 (EM64T). A mere $9000, which I guess gives you some idea of how much profit there is in this kind of "costly but effective" malcode. :(

More info on TDL4 on the white papers page:

The Evolution of TDL: Conquering x64
By Eugene Rodionov and Aleksandr Matrosov

Defeating x64: The Evolution of the TDL Rootkit
By Aleksandr Matrosov and Eugene Rodionov

TDSS part 1: The x64 Dollar Question
By Aleksandr Matrosov, Eugene Rodionov & David Harley

TDSS part 2: Ifs and Bots
By Aleksandr Matrosov, Eugene Rodionov & David Harley

TDSS part 3: Bootkit on the other foot
By Aleksandr Matrosov, Eugene Rodionov & David Harley

Rooting about in TDSS
By Aleksandr Matrosov & Eugene Rodionov
Article first published in Virus Bulletin, October 2010. Copyright is held by Virus Bulletin Ltd, but is made available on ESET's white papers page for personal use free of charge, by permission of Virus Bulletin.

ESET Senior Research Fellow

Leave a reply


MONDAY, MAY 25, 2020

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments