Large AV players jump on TDL3 bandwagon

June 28, 2010

Regular readers of our blog already know about the TDL3 rootkit (aka TDSS or Alureon). It is a rootkit that uses very sophisticated technology and it is able to remain undetected by most Antivirus products.

Recently this rootkit also attracted the attention of some of the larger players in the security industry, such as ESET (link), Kaspersky (link) and F-Secure (link). And it’s about time! It already made too many victims.

Microsoft reports that it managed to remove 360,000 TDL3 variants from infected computers using their Software Removal Tool (MSRT). But only since TDL3 drew Microsoft’s attention as TDL3 was incompatible with Microsoft’s MS10-015 patch, causing large number of computers to become unbootable.

Over 34% of all users that downloaded Hitman Pro in the past weeks was infected with the latest variant of the TDL3 rootkit. This variant (actively spreading since April 2010)  is a lot harder to detect and almost impossible to remove.

Most Antivirus products prevent the rootkit to infect the computer, which is a good thing. But unfortunately, only very few vendors are able to actually detect and remove the TLD3 rootkit after it has infected the computer.

Over the past months TDL3 has changed its stealth and protection several times to counteract the few (mostly dedicated) tools that were able to detect and remove it. Hitman Pro 3.5 is able to detect and remove the TDL3 rootkit, including the latest variant, since November 2009.

Hitman Pro 3.5.6 Released

June 21, 2010

After a few weeks of hard work we announce the release of  Hitman Pro version 3.5.6.

The biggest change in this release is detection and removal of the latest variants of TDL3 Rootkit (aka Alureon or TDSS) which is currently the most prevalent Rootkit. Besides some dedicated removal tools, Hitman Pro 3.5.6 is currently the only Anti-Malware application that is able to remove all current TDL3 infections.

In this release we have also  improved the removal of Trojans and Rootkits that are protected by a Kernel thread. These threads are serving as watchdog protecting a Rootkit’s vital hooks into the operating system. Hitman Pro now tries to knock out this watchdog  before removing the actual infection.

We have also added detection and removal of advertising and adult related Tracking Cookies from Internet Explorer, Firefox and Chrome. Removal of these Tracking Cookies is free and doesn’t require a license.

Finally we have added the Anti-Virus Ballot Screen which appears when the computer is not protected by an Anti-Virus program. The screen is offering products from our partners, bundled with a FREE Hitman Pro license!

Full Changelog

  • Latest TDL3 (aka Alureon) Rootkit detection and removal. Also works in Early Warning Scoring mode (ex. when the computer does not have an Internet connection to consult the Scan Cloud).
  • Added a sticky TDL3 Rootkit detection message. This message appears when the hard disk stack contains a reference to a hidden driver, typical TDL3 behavior.
  • Improved removal of Trojans and Rootkits that are protected by a Kernel thread.
  • Added removal of adware and adult related Tracking Cookies in Internet Explorer, Firefox and Chrome. Removal of these Tracking Cookies is free, does NOT require a license.
  • Improved Internet connection detection. I.e., when the connection is ex. hijacked by a local proxy, Hitman Pro will now attempt to bypass it.
  • Authenticode certificates are now handled on a separate thread.
  • Improved handling of files that contain resources with specially crafted data to make Anti-Virus software crash.
  • Small improvement in the hash classifier when performing a right-click scan.
  • New Anti-Virus Ballot Screen which appears when the computer is not protected by an Anti-Virus program, or when the computer is using an AV program that is not compatible with the Windows Security Center. This screen does not appear when you purchased a Hitman Pro license.
  • Return of the AV Scan Cloud vendor icons on the Welcome page.
  • Improved the Intelligent removal of malware related remnants.
  • Updated the French language strings.
  • Updated graphics. More color and detail.
  • Updated internal Whitelists.
  • Several other minor improvements.

The 32-bit version is available now here. Users will be automatically updated to the newest version.

Microsoft cures 260.000 TDL3 infections

May 3, 2010

Microsoft’s Malicious Software Removal Tool (MSRT) cleaned over 260,000 computers that were infected by Alureon (aka TDL3 or TDSS). See for more details.

MSRT is effective against TDL3 up to version 2.273, but it has no effect against newer versions of TDL3 (spreading since April 2010). Hopefully Microsoft will be able to clean these soon. But the good news is that at least these 260,000 people were rescued.

From our own user base, we see that 32,610 computers were infected with TDL3 while 22,607 computers (69.3%) has an up-to-date AntiVirus program installed. Most AntiVirus programs will be able to prevent an infection. But after the machine is infected, many AntiVirus programs have difficulties detecting and removing an infection. TDL3 is spreading since October 2009.

Microsoft unintentionally cleaned virus infected PC’s

February 20, 2010

Unknowingly, Microsoft was able to clean a lot of computers that were infected by the TDL3 rootkit (aka TDSS aka Alureon), although it was a pretty drastic method. Because when users installed the Windows patch, their computer was unable to boot, and had to be restored.

Microsoft recently confirmed that the recent Windows XP crashes were caused by a rootkit called Alureon.

After the patch was released, the authors of the rootkit modified their code and updated their users, but apparently they lost a lot of users.

We currently see a significant reduction in the number of users that are infected by this rootkit and use Hitman Pro to clean their PC. Since mid January, about 15-20% of the Hitman Pro users who were infected, were infected by this rootkit (TDL3 aka TDSS aka Alureon). After February 10 (when the Windows patch was released) this dropped to below  10%.

Interesting detail: Of all the TDL3 infected systems, more than 75% is using an up-to-date anti virus program. Nearly all anti virus programs are still unable to detect a TDL3 rootkit infection.

TDL3 rootkit authors have fixed their incompatibility with Microsoft’s MS10-015 patch as can be seen in the right corner of the graph as the rootkit is on the rise again.