Industry News

New Variant of TDL4 Buries Itself Deep into the Hard-Drive to Evade Detection

One of the most difficult to remove e-threats in the world, the TDL4 rootkit, appears to be back with a blast. According to a news report from network monitoring specialist Damballa, the new variant has not been isolated yet in binary form, but rather had its presence revealed by the “network noise” between the compromised systems and their command & control centers.

Named by some antivirus vendors the “indestructible botnet”, the TDL4 infrastructure employs a series of tricks such as the use of rootkits to conceal their presence on the machine and evade detection, as well as encrypted traffic and peer-to-peer communication with the botmaster.

The new variant is apparently able to infect the Volume Boot Record (VBR) – a special area of the hard-disk drive that is relatively off-limits for consumer-grade antivirus solutions. This trick allows the rootkit to stay completely hidden and – even if found – to make disinfection nearly impossible.

The response to this strain of malware appears to come from the enterprise environment, as business-grade devices come equipped with a special module, called the Trusted Platform Module (TPM). This piece of hardware stores the signatures of critical start-up components of the computer it is installed on and can detect changes at the lower levels of the system.

“Following the success of TDL4, hackers have been able to use the rootkit to develop new variants that continue to go undetected by antivirus. The latest iteration, dubbed SST.c, infects the Volume Boot Record,” said Joseph Souren, Vice President of trusted computing company Wave Systems in a quote for Net Security.

Even if TPM can collect data from the computer and correlate it with what happens across the network, TDL4 has traditionally been a complex threat aimed at regular computer users, not at enterprises. This multi-purpose family of malware has been used like an accomplice to shady business such as adware delivery, click fraud and massive botnet operations. It may look like the end-user will be exposed to this type of threat until the antivirus aligns its technology to scan and disinfect the VBR area as well.

This is not exactly true: for years, attacks against BIOS chips have been possible, although they would be somewhat complex to successfully achieve. And yet, no such incidents have been recorded outside the laboratory premises, even if no antivirus scans the BIOS area for malicious code, nor would it be able to pluck out of the BIOS chip if found. This is mostly due to the fact that the malicious code is vulnerable until it gets executed on the host machine and can be easily intercepted by any decent antivirus solution with behavioral detection.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.