TDL 4 variants have surfaced recently, making security researchers suspect that the code may have been sold on the black market.
It seems VXers are already at work making it more dangerous and one of the main areas of innovation seems to be the file system used.

Two new off-shoots have attracted the attention of Bitdefender antivirus researchers in the past month.
The Sst family, also known as MAXSS, is provided with a new and different type of virtual filesystem for storing its own executable modules. The bootkit even comes with anti-tampering features akin to those used by Windows itself – it does a CRC check on its components at boot time and halts the system if it detects any changes.

In its most recent incarnation, Sst goes one better (worse?), by storing the actual boot-loader in a new, separate, bootable partition of its own creation.
In this manner, it avoids altering the MBR of the original system disk, further complicating detection. It seems to work, too, as many AV products are still unable to find and clean recent variants of Sst.
The Pihar family is another notable offshoot of the TDSS family tree. Detected by Bitdefender in three separate variants so far, Pihar makes use of a simpler filesystem to store itself and its payload, and skips encryption altogether.

“We will continue to give special attention to these e-threats which are emerging even as TDL4 development appears to have stagnated” concluded Bitdefender antivirus researcher Marius Tivadar.
Free-as-in-beer TDSS removal tools have been released by Bitdefender. Get them here while they’re hot.
[…] http://labs.bitdefender.com/?p=830 I am interested. Reply With Quote + Reply to Thread « […]
[…] => TDSS Bootkit Spawns Clones. 15/11/2011. «TDL 4 variants have surfaced recently, making security researchers suspect that the code may have been sold on the black market (…).» Source : labs.bitdefender.com/?p=830 […]
When do you intend to make a program compatibile with BlackBerry Curve 8520 as you did for android platform?
Best regards!
… [Trackback]…
[…] Find More Informations here: labs.bitdefender.com/?p=830 […]…
New TDSS variant ComboFix detects and removes. Mine came from Qwest install file. submitting sample. Trojan Killer locates. Trojan Exoptions gen infects Bit Defender Spyware Terminator removes. Submitting infected file to Bit Defender.
Je l’utilise depuis deux snemiaes ! C’est extra ! Certes c’est une version beata, mais un outil qui a de l’avenir, surtout lorsqu’on constate la recrudescence des liens ve9role9s sur le net pour Facebook. Je vous le conseille ! Merci Nico pour l’article, c’est ge9nial de parler de ces apps utiles qui ont un bel avenir
[…] other TDL clones, all the files have names made up exclusively of digits (perhaps chosen at random)Previous clones used intuitive names for files: […]