TDL4 bootkit reinstates 64-bit infection capability

Microsoft released security update KB2506014 on April 12 to address a vulnerability which allowed unsigned drivers to be loaded by 64-bit Windows. The TDSS/Alureon rootkit family, where TDL4 is a part of, was one of the more advanced rootkits that abused this vulnerability to load the rootkit during Windows boot up. TDL4 is also known as the Google Redirect Virus.

TDL4 infects the Master Boot Record (MBR) and effectively loads before Windows boot up. This gives so called bootkits the upper hand in countering the protection mechanisms introduced by 64-bit Windows.

We started to see this new variant a few days ago when we received reports that Hitman Pro was no longer able to remove the TDL4 rootkit. Hitman Pro was detecting the presence of the rootkit but it was no longer able to determine its load point, which is needed for the rootkit’s removal. The reports also outline that the few dedicated TDSS removal tools from other vendors were also having difficulties to detect and remove it, which is a clear indication that we are dealing with a new variant.

Key survival strategy for rootkits is that they must be undetectable by antivirus software. TDL4 does so by attaching itself to the hard disk (at the lowest level) and filtering all read/write operations. When antivirus software reads data from the drive, the rootkit just serves clean uninfected data, effectively blinding antivirus and internet security software.

In order to detect the presence of rootkits like TDL4 an antivirus must get around the rootkit’s filtering. Only then the actual infected disk sectors can be read and inspected.

Hitman Pro’s Direct Disk Access technology is specifically made to get around such rootkit techniques by scanning computers at a much deeper level. Many of our first-time users are infected with the TDL4 rootkit, despite up-to-date protection software from renowned security vendors. Even though these vendors frequently write reports about this threat, the rootkit does not appear in any top threat list because most products lack the technology to detect and remove it.

Hitman Pro 3.5.8 build 121 is able to detect and remove the latest TDL4 bootkit variant. A beta version can be downloaded from here:

32-bit: http://dl.surfright.nl/HitmanPro35beta.exe
64-bit: http://dl.surfright.nl/HitmanPro35beta_x64.exe

Changelog (Build 121)

  • Added detection and removal of latest TDL4 bootkit
  • Improved behavioral scan
  • Improved removal engine
  • Added Indonesian language
  • Updated Czech language

Comments are closed.

%d bloggers like this: