Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDL3 rootkit x64 goes in the wild


  • Please log in to reply
8 replies to this topic

#1 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 PM

Posted 26 August 2010 - 12:15 PM

It took some time but now x64 Windows operating systems are officially the new target of rootkits.

We talked about TDL3 rootkit some months ago as the most advanced rootkit ever seen in the wild. Well, the last version of TDL3 was released months ago and documented as build 3.273. After that, no updates have been released to the rootkit driver. This was pretty suspicious, more so if you've been used to seeing rebuild versions of TDL3 rootkit every few days to defeat security software.



Obviously, the rootkit was stable and it is currently running without any major bug on every 32 bit Windows operating system. Still though, the dropper needed administrator rights to install the infection in the system. Anyway, the team behind TDL3 rootkit was just too quiet to not expect something new.



They actually built a nice gift for every security vendor, because TDL3 has been updated and this time this is a major update; the rootkit is now able to infect 64 bit versions of Microsoft Windows operating system.


PrevX

x64 rootkit, I thought it to be almost impossible, but ofcourse it was not! Enjoy the awesome read.

Karsten

BC AdBot (Login to Remove)

 


#2 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:09:54 AM

Posted 27 August 2010 - 08:11 AM

I don't think there is anything we can do except keep checking for security updates and be careful what sites you go on.

#3 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:10:54 AM

Posted 27 August 2010 - 11:58 PM

You see, the really sucky thing now is the fact that it's more about how the authors organize search terms these days. I can't believe this is happening now anyway. I might better recant my statement to my mother that her laptop is safe from that kind of crap since it's a 64 bit system then? Great! I hope the developers of TDL3 start being stupid and eventually destroy their own computers, so they'll learn what they're doing to us! Pray for their downfall, will you?

Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#4 Nawtheasta

Nawtheasta

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:10:54 AM

Posted 28 August 2010 - 09:16 AM

In the quote listed above it says:

"Obviously, the rootkit was stable and it is currently running without any major bug on every 32 bit Windows operating system"

Is this sarcasm, a misstatement or what?? I can't believe every 32 bit system in the entire world is infected.
Regards
Nawtheasta

#5 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:09:54 AM

Posted 29 August 2010 - 06:58 AM

I have to believe it's a misstatement. The only way I can think of that being done is a operating system update. If someone hacked a KB is the only way I can think of that happening.

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:54 AM

Posted 31 August 2010 - 10:01 PM

More info: http://www.technibble.com/tdl3-rootkit-x64-goes-in-the-wild/

Windows x64 bit operating systems have long been a tier above 32-bit in terms of security but now the x64 bit operating systems are the newest targets for a certain rootkit. Security company Prevx found that the rootkit TDL3, which has been active for several months, got a new update that allows it to infect x64 bit Windows. This is an unprecedented development and marks the first appearance of an in the wild x64 rootkit.

x64 versions of Windows are considered much more secure than their respective 32 bit versions because of some advanced security features which are intended to make it more difficult getting into kernel mode and hooking the Windows’s kernel.

Windows Vista 64 bit and Windows 7 64 don’t allow every driver to get into kernel memory region due to a very strict digital signature check. If the driver has not been digitally signed, Windows won’t allow it to be loaded. This first technique allowed Windows to block every kernel mode rootkit from being loaded, because malwares aren’t usually signed – at least, they shouldn’t be.

The second technique to prevent kernel mode drivers from altering Windows kernel behavior is the Kernel Patch Protection, also known as PatchGuard. This blocks every kernel mode driver from changing sensitive areas of the Windows kernel. Prevx describes how the rootkit gets past both techniques:

To bypass both Kernel Patch Protection and Driver Signature verification, the rootkit is patching the hard drive’s master boot record so that it can intercept Windows startup routines, owns it, and load its driver. Both Windows security mechanisms are bypassed.

The first attempt at breaking the x64 kernel security was the Whistler bootkit but the first in the wild x64 compatible attack is this rootkit. The Prevx community had been seeing infections during the past nine days leading up to 8/26/2010 when the article was written and it is surely still active. The rootkit is spreading via porn websites and exploit kits. Prevx is currently analyzing the rootkit and thinks that TDL3 is under new owners, which are modifying it for x64 compatibility. Right now it seems to be in beta because it doesn’t always work but it will be important to keep an eye on it.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 KarstenHansen

KarstenHansen

    The Dane

  • Topic Starter

  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 PM

Posted 01 September 2010 - 09:02 AM

Thanks alot for this interesting read Broni.

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:54 AM

Posted 01 September 2010 - 02:37 PM

:thumbsup:

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 connectedcr

connectedcr

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 02 September 2010 - 04:58 PM

Read this from technibble the other day. Pretty sure I got this on my computer. The trouble is finding a virus scanner on a boot CD that is compatible with x64. Tried several with no luck. Malwarebytes crashes in safe and normal mode and supersyware doesn't seem to pick it up. I'm gonna try kaspersky TDSSkiller when I get home. Hopefully that'll get it!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users