BleepingComputer.com: TDL3 rootkit x64 goes in the wild

It took some time but now x64 Windows operating systems are officially the new target of rootkits.

We talked about TDL3 rootkit some months ago as the most advanced rootkit ever seen in the wild. Well, the last version of TDL3 was released months ago and documented as build 3.273. After that, no updates have been released to the rootkit driver. This was pretty suspicious, more so if you've been used to seeing rebuild versions of TDL3 rootkit every few days to defeat security software.



Obviously, the rootkit was stable and it is currently running without any major bug on every 32 bit Windows operating system. Still though, the dropper needed administrator rights to install the infection in the system. Anyway, the team behind TDL3 rootkit was just too quiet to not expect something new.



They actually built a nice gift for every security vendor, because TDL3 has been updated and this time this is a major update; the rootkit is now able to infect 64 bit versions of Microsoft Windows operating system.

Windows x64 bit operating systems have long been a tier above 32-bit in terms of security but now the x64 bit operating systems are the newest targets for a certain rootkit. Security company Prevx found that the rootkit TDL3, which has been active for several months, got a new update that allows it to infect x64 bit Windows. This is an unprecedented development and marks the first appearance of an in the wild x64 rootkit.

x64 versions of Windows are considered much more secure than their respective 32 bit versions because of some advanced security features which are intended to make it more difficult getting into kernel mode and hooking the Windows’s kernel.

Windows Vista 64 bit and Windows 7 64 don’t allow every driver to get into kernel memory region due to a very strict digital signature check. If the driver has not been digitally signed, Windows won’t allow it to be loaded. This first technique allowed Windows to block every kernel mode rootkit from being loaded, because malwares aren’t usually signed – at least, they shouldn’t be.

The second technique to prevent kernel mode drivers from altering Windows kernel behavior is the Kernel Patch Protection, also known as PatchGuard. This blocks every kernel mode driver from changing sensitive areas of the Windows kernel. Prevx describes how the rootkit gets past both techniques:

To bypass both Kernel Patch Protection and Driver Signature verification, the rootkit is patching the hard drive’s master boot record so that it can intercept Windows startup routines, owns it, and load its driver. Both Windows security mechanisms are bypassed.

The first attempt at breaking the x64 kernel security was the Whistler bootkit but the first in the wild x64 compatible attack is this rootkit. The Prevx community had been seeing infections during the past nine days leading up to 8/26/2010 when the article was written and it is surely still active. The rootkit is spreading via porn websites and exploit kits. Prevx is currently analyzing the rootkit and thinks that TDL3 is under new owners, which are modifying it for x64 compatibility. Right now it seems to be in beta because it doesn’t always work but it will be important to keep an eye on it.