Notorious TDL4 rootkit retooled to better withstand antivirus programs

Experts from security vendor ESET warn that TDL4, one of the most sophisticated pieces of malware in the world, is being rewritten and improved for increased resilience to antivirus detection.

“ESET researchers have been tracking the TDL4 botnet for a long time, and now we have noticed a new phase in its evolution,” announced David Harley, the company’s director of malware intelligence.

“Based on the analysis of its components we can say that some of those components have been rewritten from scratch (kernel-mode driver, user-mode payload) while some (specifically, some bootkit components) remain the same as in the previous versions,” he noted.

Harley and his colleagues believe this suggests a major change within the TDL development team or the transition of its business model toward a crimeware toolkit that can be licensed to other cyber criminals.

TDL, also known as TDSS, is a family of rootkits characterized by complex and innovative detection evasion techniques. Back in July, malware analysts from Kaspersky Lab called TDL version 4 the most sophisticated threat in the world and estimated that the number of computers infected with it exceeds 4.5 million.

There are many things that make TDL4 stand out from the crowd of rootkits currently plaguing the Internet. Its ability to infect 64-bit Windows systems, its use of the public Kad peer-to-peer network for command purposes and its Master Boot Record (MBR) safeguard component are just some of them.

However, according to ESET’s researchers, changes are now being made to the way TDL4 infects systems and ensures its hold on them. Instead of storing components within the MBR, the new variants create a hidden partition at the end of the hard disk and set it as active.

This ensures that malicious code stored on it, including a special boot loader, gets executed before the actual operating system, and that the MBR code checked by antivirus programs for unauthorized modifications remains untouched.

The TDL4 authors have also developed an advanced file system for the rogue partition, which allows the rootkit to check the integrity of components stored within.

“The malware is able to detect corruption of the files stored in the hidden file system by calculating its CRC32 checksum and comparing it with the value stored in the file header. In the event that a file is corrupted it is removed from the file system,” the ESET researchers explain.

In April, Microsoft released a Windows update that modified systems to disrupt the TDL4 infection cycle. The rootkit’s authors responded half a month later with an update of their own that bypassed the patch.

This kind of determination to keep the malware going suggests that its return on investment is significant. The code quality and the sophisticated techniques are certainly indicative of professional software development.

Several antivirus vendors like Kaspersky, BitDefender, or AVAST offer free stand-alone tools that can remove TDSS and similar rootkits. However, in order to avoid getting infected in the first place, users should install an antivirus solution that provides advanced layers of protection, like those analyzing software behavior.