Miscellaneous

TDSS Bootkit Spawns Clones

November 15, 2011
2 Min Read

TDL 4 variants have surfaced recently, making security researchers suspect that the code may have been sold on the black market. 

It seems VXers are already at work making it more dangerous and one of the main areas of innovation seems to be the file system used.

TDL4 FileSystem, the original. A more recent sample will look a little different.

Two new off-shoots have attracted the attention of Bitdefender antivirus researchers in the past month.

The Sst family, also known as MAXSS, is provided with a new and different type of virtual filesystem for storing its own executable modules. The bootkit even comes with anti-tampering features akin to those used by Windows itself – it does a CRC check on its components at boot time and halts the system if it detects any changes.

MAXSS/SST filesystem
MAXSS/SST FileSystem - Components look almost like those in TDL4

In its most recent incarnation, Sst goes one better (worse?), by storing the actual boot-loader in a new, separate, bootable partition of its own creation.

In this manner, it avoids altering the MBR of the original system disk, further complicating detection. It seems to work, too, as many AV products are still unable to find and clean recent variants of Sst.

The Pihar family is another notable offshoot of the TDSS family tree. Detected by Bitdefender in three separate variants so far, Pihar makes use of a simpler filesystem to store itself and its payload, and skips encryption altogether.

Pihar FileSystem hex dump
Pihar FileSystem - Components with different names

We will continue to give special attention to these e-threats which are emerging even as TDL4 development appears to have stagnated” concluded Bitdefender antivirus researcher Marius Tivadar.

Free-as-in-beer TDSS removal tools have been released by Bitdefender. Get them here while they’re hot.

Tags

About the author

View All Posts

Razvan STOICA

Razvan Stoica is a journalist turned teacher turned publicist and technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking. Razvan Stoica started off writing for a science monthly and was the chief editor of a science fiction magazine for a short while before moving on to the University of Medicine in Bucharest where he lectured on the English language. Recruited by Bitdefender in 2004 to add zest to the company's online presence, he has fulfilled a bevy of roles within the company since. In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.

7 Comments

Click here to post a comment