New TDL4 strain very successful in hiding from AV

October 7, 2012

Last month Damballa stirred up the security community with the discovery of a new iteration of the notorious TDL4 rootkit. This rootkit is known for infecting the Master Boot Record (MBR) to gain control over everything that runs on the computer, making itself invisible for antivirus products and pretty hard to remove. The malware is also known as the ‘indestructible’ botnet and Damballa reported that this new variant already infected 46 of the Fortune 500 companies as well as government agencies and ISP networks.

Damballa stumbled upon it thanks to their network behavioral analysis software, which detected the generated domain names that this new TDL4 variant apparently uses for command-and-control communication. Since Damballa could only determine the existence of the new malware by looking for domain fluxing, they concluded that no binary samples of the new malware have been identified and categorized by commercial antivirus products operating at the host or network levels. But HitmanPro is not your average antivirus.

With all the new stuff we are working on in our office we haven’t really got around to generate our monthly Malware Prevalence Top 25, a list of malware families that HitmanPro encounters on computers protected by up-to-date commercial antivirus products.

As you can see from the August and September lists we posted a few hours ago, Sst – also known as Maxss, a modification of the TDL4 strain – is indeed on the rise, big time.

In just 2 months it reached #2 position! This means that commercial antivirus products are unable to detect, let alone, remove this malware.

Volume Boot Record (VBR)
This new variant is known as Sst.c. It is capable of infecting the Volume Boot Record (VBR) – which is even more challenging for commercial antivirus programs.

So we can confirm that Sst.c is most prevalent and gained a new trick: it infects the Volume Boot Record.

We will post more information on Sst.c when it becomes available.

275,000 computers lose Internet access on July 9

June 27, 2012

On many computers deemed safe and protected by up-to-date antivirus software, the Alureon rootkit is still one of the most prevalent infections that HitmanPro encounters. And over the last few years the Alureon rootkit (aka TDSS, TDL and Olmarik) has evolved and been used for all kinds of different attacks. From drive-by downloads to targeted attacks that aim only a specific group of persons. One of its lesser known jobs was to distribute the DNSChanger Trojan.

Beginning 2007, the DNSChanger Trojan seizes web traffic by changing the DNS (Domain Name System) settings on an infected computer. As a result, victims are diverted to malicious websites instead of the requested website. In other words, once the Trojan has altered the DNS settings, DNS queries will be redirected to the attacker-controlled DNS servers, which forces the user to visit malicious websites where scammers often earned millions of dollars in affiliate and referral fees as well.

On November 8, 2011 the FBI arrested six Estonian nationals who were operating over a hundred malicious DNS servers in data centers in Estonia, New York and Chicago. Along with these arrests, the servers involved with the DNSChanger malware were seized. Since machines with modified DNS settings would be unable to access the Internet once the malicious DNS servers went offline, the FBI obtained a court order that allowed the non-profit Internet Systems Consortium (ISC) to set up alternate DNS servers to temporarily replace the malicious servers. These servers were intended to give people time to clean up the infection. The court order was originally set to expire March 8 this year, but prosecutors filed for an extension because over 400,000 computers still remained infected. The new deadline for getting cleaned up and averting the Internet blackout is now July 9, 2012.

DCWG, Google, Facebook, CloudFlare
To remediate users and help the FBI with the alternate DNS servers, the DNS Changer Working Group (DCWG) was created. The DCWG is an ad hoc group of subject matter experts, and includes members from organizations such as Georgia Tech, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, and the University of Alabama at Birmingham.

To aid the slow remediation rate, Google started notifying affected users in May 2012, showing warnings via a special message that appears at the top of the Google search results page for users with affected devices. Also, 11,000 websites enabled the CloudFlare Visitor DNSChanger Detector which shows infected visitors a warning banner to help them remove the malware and remain online. And this month, Facebook joined Google in warning victims among its 900 million users.

Recover from a DNSChanger infection

The past few months, HitmanPro has helped tens of thousands of people restoring their DNS settings and remove the DNSChanger Trojan and the TDSS rootkit from their computers. As shown in the graph below, the campaigns by Google and Facebook played a significant role in informing users that were infected and pointing them to a solution:

Below, the latest Top 5 DNSChanger Infections by Country (June 11, 2012). Many computers in Italy are still affected by DNSChanger:

Head over to and check your Windows and Mac computers for the DNSChanger Trojan. Given that on July 9 you might not get the chance to do this, you should check your computers as soon as possible.

ZeroAccess rootkit strikes back

July 15, 2011

Malware that actively fights back against removal is not uncommon. But the authors of the ZeroAccess rootkit found a unique way to strike back at its adversary: it instructs an antivirus program to terminate itself.

The ZeroAccess rootkit uses advanced stealth tactics, similar to the infamous TDL3 rootkit. The ZeroAccess rootkit itself is hiding, but it’s payload is not.  It actually is very visible to the user as it redirects e.g. Google Search results in your web browser.

Most antivirus programs are hardened against termination by an external (malicious) process. But it turns out that most antivirus programs are not that tough against themselves.

When an antivirus program tries to scan one of ZeroAccess’s rootkit components, the rootkit strikes back by injecting (from kernel-mode) a small piece of malicious code into the antivirus process space. The code will effectively call the ExitProcess function.
The rootkit then queues the code to be run by the antivirus process by means of an APC (asynchronous procedure call). As soon as one of the threads of the antivirus process becomes idle, the queued code executes and ExitProcess is called: the antivirus program terminates itself.

In addition to the self-termination of the antivirus process, the rootkit also changes the access rights (DACL) of the antivirus program’s EXE file so that it cannot be restarted. This leaves the computer unprotected against new malware infections as well.

Hitman Pro 3.5.9 build 127 contains protection against these types of malicious code injections and monitors and restores the DACL on its EXE file. Users of Hitman Pro will automatically be updated to the latest version in the next few days.

Hitman Pro removes Popureb.E

June 30, 2011

The latest release of Hitman Pro 3.5.9 – build 126 – will remove the infamous Trojan “Popureb” without the need to reinstall the operating system as previously advised by Microsoft.

Malware like Popureb overwrites the hard drive’s Master Boot Record (MBR), the first sector – sector 0 – where code is stored to bootstrap the operating system after the computer’s BIOS completed its start-up checks. The rootkit hides the MBR by hooking the DriverStartIo of the harddisk driver atapi.sys, making it effectively invisible to both the operating system and most security software.

The Cloud Assisted Miniport Hook Bypass technology that was added to Hitman Pro in an earlier release this month is designed to detect these sophisticated rootkits. Our Cloud Assisted Miniport Hook Bypass is capable of detecting and removing the Popureb bootkit.

Build 126 of Hitman Pro 3.5 contains a new Tool Action: Replace with standard MBR.

This new action offers users a means to overwrite a non-standard MBR with a standard MBR returning it to a clean state. This new Tool Action is only available to users when scanning a system with Hitman Pro in Early Warning Scoring (EWS) mode. Users do not need to use the Windows Recovery Console to return the MBR to a clean state.

A beta version of Hitman Pro 3.5.9 build 126 can be downloaded here:


UPDATE: Click here to view Hitman Pro in action against Popureb.

Cloud Assisted Miniport Hook Bypass

June 16, 2011

The toughest types of malware are rootkits. Rootkits embed themselves deep in the operating system where they hide for antivirus software. The longer a rootkit stays alive on a computer, the more profit the malware authors make because the computer is under their control.

Highly advanced rootkits like the TDSS family (TDL, Alureon.DX, Olmarik) and new variants of Mebroot and Sinowal work on both 32-bit and 64-bit versions of Windows and infect the Master Boot Record (MBR). This means that these so called Bootkits start before Windows boots up, which gives the bootkit an obvious advantage. Any protection mechanism imposed by Windows (or antivirus that is loaded by Windows) can be defeated (the program that is started first, can have control over the others).

Once Windows is booting, the rootkit attaches a filtering mechanism to the hard disk driver. This filter gives the rootkit complete control over the hard drive. For example, when an antivirus tries to read the MBR (sector 0) of the hard drive (to see if it is infected), the rootkit will simply serve a regular MBR so that it appears that the MBR is clean. Hence, the rootkit is undetected.

Now in order to read the actual infected MBR you need get around the rootkit’s filtering mechanism.

For this you need to know two things:

  1. The hard disk miniport driver that is hooked (e.g. atapi.sys, iaStor.sys, nvstor32.sys, amdsata.sys, etc.)
  2. How the rootkit is hooking into it

When you know the exact hard disk driver that is in use, you are able to communicate directly with it, reading around the hooks of the rootkit.

The problem is that there are literally thousands of different brands, types and versions of hard disk drivers and they all need to be addressed differently. This is where Cloud Assisted Miniport Hook Bypass comes in.

Cloud Assisted Miniport Hook Bypass collects hard disk miniport driver information from clean computers and stores a representation of this information (a fingerprint of a few bytes) in the Cloud. When Hitman Pro detects a hook on the hard disk driver, it consults the Cloud on how to work around it. This allows Hitman Pro to read around the rootkit’s filtering and effectively reading the actual infected sectors. This works for ANY hard disk driver and not just the common ones.

If you run Hitman Pro with Early Warning Scoring (a mode for experts) on a Mebroot infected system you can see Cloud Assisted Miniport Hook Bypass in action. If the yellow sticky mentions bypassed then Hitman Pro should be able to detect presence of the rootkit:

The yellow sticky only appears in Early Warning Scoring scan. In the Default Scan or Quick Scan the sticky is not displayed because non-expert users have no idea what a kernel-mode hook is. Of course, when an infected MBR is detected it is listed, regardless of the chosen scan.

Cloud Assisted Miniport Hook Bypass collectively helps Hitman Pro users to combat the toughest malware threat: Rootkits.

Available in Hitman Pro 3.5.9 (or newer).

TDL4 bootkit reinstates 64-bit infection capability

May 2, 2011

Microsoft released security update KB2506014 on April 12 to address a vulnerability which allowed unsigned drivers to be loaded by 64-bit Windows. The TDSS/Alureon rootkit family, where TDL4 is a part of, was one of the more advanced rootkits that abused this vulnerability to load the rootkit during Windows boot up. TDL4 is also known as the Google Redirect Virus.

TDL4 infects the Master Boot Record (MBR) and effectively loads before Windows boot up. This gives so called bootkits the upper hand in countering the protection mechanisms introduced by 64-bit Windows.

We started to see this new variant a few days ago when we received reports that Hitman Pro was no longer able to remove the TDL4 rootkit. Hitman Pro was detecting the presence of the rootkit but it was no longer able to determine its load point, which is needed for the rootkit’s removal. The reports also outline that the few dedicated TDSS removal tools from other vendors were also having difficulties to detect and remove it, which is a clear indication that we are dealing with a new variant.

Key survival strategy for rootkits is that they must be undetectable by antivirus software. TDL4 does so by attaching itself to the hard disk (at the lowest level) and filtering all read/write operations. When antivirus software reads data from the drive, the rootkit just serves clean uninfected data, effectively blinding antivirus and internet security software.

In order to detect the presence of rootkits like TDL4 an antivirus must get around the rootkit’s filtering. Only then the actual infected disk sectors can be read and inspected.

Hitman Pro’s Direct Disk Access technology is specifically made to get around such rootkit techniques by scanning computers at a much deeper level. Many of our first-time users are infected with the TDL4 rootkit, despite up-to-date protection software from renowned security vendors. Even though these vendors frequently write reports about this threat, the rootkit does not appear in any top threat list because most products lack the technology to detect and remove it.

Hitman Pro 3.5.8 build 121 is able to detect and remove the latest TDL4 bootkit variant. A beta version can be downloaded from here:


Changelog (Build 121)

  • Added detection and removal of latest TDL4 bootkit
  • Improved behavioral scan
  • Improved removal engine
  • Added Indonesian language
  • Updated Czech language

Hitman Pro removes 64-bit TDL3 rootkit

August 30, 2010

We have just released Hitman Pro 3.5.6 build 112 BETA that is capable of removing the 64-bit TDL3 rootkit.


If you find any problems with this beta then contact us: