« How to Fix a broken Internet Connection | Main | Using GParted to Edit the Partion Table & Manage Partitions »

A New TDL4 with a Stealthy New Twist

In October of 2010, I wrote a blog entry entitled "Alureon Bootkit Trojan - Crossing the 64 bit Barrier" which discussed quite a malicious milestone at that time. 

It is now more than one year later, and the authors behind the TDL4 bootkit have stepped up their game yet again - by creating a TDL4 variant with a stealthy new twist: rather than overwriting the Windows MBR code as its predecessor did, this latest TDL4 incarnation leaves the original MBR code fully intact.  Instead, it gains a foothold onto the system by creating a new, hidden partition at the end of the hard drive where it stashes its malicious file system.

 The latest bootkit is able to hijack the Windows boot sequence by creating a new entry in the disk Partition Table that points to the new malicious partition - setting it as the active boot partition.  Designating this "rooted" TDL4 partition as as the active partition, diverts control to the TDL4 partition at system bootup rather than to the Primary Windows partition.  Since this subversion occurs BEFORE Windows loads, the TDL4 rootkit is able to gain full control of the system. 

This newly invented creature is primarily only detectable by its infection symptoms and its resistance to detection and removal:

1.  Browser redirection is still the most noticable symptom

2.  All scan results, including dedicated MBR and rootkit scanners come back negative or inconclusive

3.  Infects the Windows XP operating system on upward

4.  If a user has ESET Smart Security onboard, its resident protection monitor will alert with: "Win32/Olmarik.TDL4 trojan in operating memory unable to clean"

5.  Multiple Internet Explorer processes (that were not invoked by the user), persistently run in the background and respawn if they are terminated

6.  Executing Bootrec /fixmbr from the Windows Recovery Environment will no longer be effective in removing the rootkit because this new TDL4 variant does not modify the original Windows MBR code

7.  Executing Bootrec /fixboot from the Windows Recovery Environment is likely to result in a non-booting system because /fixboot will attempt to repair the TDL4 partition while leaving the malicious entry in the partition table intact.  

Most of the information I have written about was gathered from this article entitiled TDL4 Rebooted published by David Harley on ESET Threat Blog and through the personal experiences I encountered while helping infected users on the online security forums.

I've proposed a simple method to remove this new TDL4 beast  by booting to a GParted ISO to modify the TDL4 entry in the disk partition table in this article:

 Using GParted to Edit the Partition Table & Manage Partitions

Performing this procedure on a computer infected with the NEW TDL4 variant should completely deactivate and remove the infection.


TrackBack URL for this entry:

Hosting by Yahoo!

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)