1 / 14

TDL3 Rootkit

TDL3 Rootkit. A Sans NewsBite Analysis by Marshall Washburn. Topic: TDL3 Rootkit variant . SANS NewsBites - Volume: XII, Issue: 70 (August 26, 27 & 30, 2010) TDL3 Rootkit , version 3.273 Combination of MBR rootkit , Rustock.C and old Tdss variants. Stealthiest in the world.

theola
Download Presentation

TDL3 Rootkit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TDL3 Rootkit A Sans NewsBite Analysis by Marshall Washburn

  2. Topic: TDL3 Rootkit variant • SANS NewsBites - Volume: XII, Issue: 70 (August 26, 27 & 30, 2010) • TDL3 Rootkit, version 3.273 • Combination of MBR rootkit, Rustock.C and old Tdss variants. • Stealthiest in the world.

  3. Rootkits • Wikipedia – “A rootkit is software that enables continued privileged access to a computer, while actively hiding its presence from administrators by subverting standard operating system functionality or other applications” • High risk, 1-in-5 Windows machines. • “Root” and “kit”

  4. Rootkits • Netsecurity.about.com – “A rootkit allows someone, either legitimate or malicious, to maintain command and control over a computer system, without the computer system user knowing about it” • Typically 32-bit problems

  5. Rootkits • Rootkit are not really viruses • Machine independent • Remote access • Anti-virus level access

  6. Prevention • Digital Signature check for rogue drivers • “PatchGuard” prevents some changes to Windows kernel. • Vista and Win7 do not allow Admin

  7. TDL3 Rootkit • Also known as Alureonrootkit • More sophisticated • Version 3.273 • Targets 64-bit machines that were previously considered safer • Spread through websites and exploit kits

  8. TDL3 Rootkit • Gains control during the boot sequence • Alters Master Boot Record. This gets around the 1st two preventions. • Enacts a restart, which loads the altered MBR and catches process signals. • Encrypted with ROR loop (rotate right).

  9. TDL3 Rootkit Details • Kernel code appears as raw bytes, passes security. • TDL3 encodes and decodes files on the fly, so it can pass as being a piece of the kernel code. • At startup, hunts for driver object. • Overwrites 824 bytes, avoiding file size check • Fake driver object, captures disk I/O, hunts for kernel32.dll • Infection

  10. TDL3 Rootkit • Has a watchdog thread to prevent any change to the service registry key • No one can get a handle to infected driver file(red flag) • In Feb. it caused BSOD with MS10-015 update • RVA(Relative Virutal Address) offsets of Windows kernel APIs modified and use them to find functions. On the update, the values were changed. After restart, the rootkit called an invalid address

  11. TDL3 fights back • While this caused a BSOD, it did bring notice to a potential problem • TDL3 authors updated within hours that worked with the update. • Process was called tdlcmd.dll or z00clicker.dll

  12. TDL3 Rootkit • First significant 64-bit rootkit • Malware begets more malware • Anti-virus lag • Security chess match

  13. Cited Sites • http://www.guidingtech.com/4467/what-is-a-rootkit/ • http://www.prevx.com/blog/154/TDL-rootkit-x-goes-in-the-wild.html • http://www.prevx.com/blog/143/BSOD-after-MS-TDL-authors-apologize.html • http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html

More Related