Regular readers of our blog already know about the TDL3 rootkit (aka TDSS or Alureon). It is a rootkit that uses very sophisticated technology and it is able to remain undetected by most Antivirus products.
Recently this rootkit also attracted the attention of some of the larger players in the security industry, such as ESET (link), Kaspersky (link) and F-Secure (link). And it’s about time! It already made too many victims.
Microsoft reports that it managed to remove 360,000 TDL3 variants from infected computers using their Software Removal Tool (MSRT). But only since TDL3 drew Microsoft’s attention as TDL3 was incompatible with Microsoft’s MS10-015 patch, causing large number of computers to become unbootable.
Over 34% of all users that downloaded Hitman Pro in the past weeks was infected with the latest variant of the TDL3 rootkit. This variant (actively spreading since April 2010) is a lot harder to detect and almost impossible to remove.
Most Antivirus products prevent the rootkit to infect the computer, which is a good thing. But unfortunately, only very few vendors are able to actually detect and remove the TLD3 rootkit after it has infected the computer.
Over the past months TDL3 has changed its stealth and protection several times to counteract the few (mostly dedicated) tools that were able to detect and remove it. Hitman Pro 3.5 is able to detect and remove the TDL3 rootkit, including the latest variant, since November 2009.