Development may be slowing down, but TDL3, possibly the biggest rootkit threat of the year, is not entirely static and in fact seems to have added self-defense features recently.
Are the creators of infamous TDL3 rootkit running out of steam? Well, it’s certainly matured, at least according to BD researcher Marius Tivadar, who has been following the evolution of this nasty bit of malware in the past few months.
“The updates came in fast at first, with a new version twice a week, mostly adding new tricks to avoid detection. The flow seems to have slowed down now though. Maybe they ran out of ideas” Marius said.
Development may be slowing down, but TDL3, possibly the biggest rootkit threat of the year, is not entirely static and in fact seems to have added self- defense features recently. The latest version includes a memory self-check (if TDL3 finds modifications they can be reverted from a clean copy) and a new way to protect the registry key it sets against changes.
The dropper component writing into a driver file on-disk was and still is the usual TDL3 method of gaining access to the kernel – the driver is loaded at boot time and executed, along with the malicious stub code.
A miniport driver such as atapi.sys was a logical (and the most common) choice for infection, as the rootki needs low-level access to the hard disk(s) to cheat antivirus scanners and the operating system into believing that it doesn’t exist. Recent versions, however, infect a random driver instead and patch the miniport driver in-memory, once loaded, which further complicates detection.
A complex series of steps (the exact “recipe” varies between minor versions, making each a unique puzzle) then leads to the rootkit stub being loaded. In turn, it loads the rest of the rootkit body, from an encrypted location on disk. The encrypted storage is no flat file either, but rather an entire filesystem, structured so as to allow the addition of new payloads.
Once installed and run, TDL3 injects its malware payload into a usermode process. The payload is usually a spammer trojan, but TDL3 can also be directed to download other malware.