Microsoft patches TDL4 rootkit on 64-bit (& 32-bit) systems

Ex_Brit

If you're going through hell, keep going
Vista Guru
Gold Member
Note from me: There is an extra version of April's Malicious Software Removal Tools (mrt.exe), along with miscellaneous security updates, some optional, available on Windows/Microsoft Update and apply to all systems XP, Vista and Windows 7, both 32 and 64-bit).


Modifications made as part of a Windows update released by Microsoft this week effectively kill the notorious TDL4 rootkit on 64-bit Windows Vista and 7.

Since 64-bit Windows only accepts digitally-signed drivers, there are very few rootkits that manage to infect such systems.

One of them is TDL4, the latest version from the TDSS family of rootkits. It installs itself in the master boot record, making it possible to modify the operating system since the first moment it starts.

On 64-bit systems, it leverages a BCD (Boot Configuration Data) option called BcdOSLoaderBoolean_WinPEMode to disable the code integrity checks in the OS.

On Tuesday, Microsoft released KB2506014, an update which according to the corresponding advisory "addresses a method by which unsigned drivers could be loaded by winload.exe."

Security researchers from ESET note that this update removes the BcdOSLoaderBoolean_WinPEMode option abused by the TDL4 rootkit. In addition, the update intentionally modifies the size of a file called kdcom.dll by adding a KdReserved0 exported symbol.

Under normal circumstances TDL4 checks the size of this file's export directory and replace it with its own malicious version. According to the ESET researchers the change made to kdcom.dll serves no other purpose than to prevent the rootkit from replacing it.

They also point that users of 32-bit Windows won't benefit from this update unless they install it manually, because TDL4 disables the Windows Update service on such systems.

"Although the patch helps with this particular case it doesn’t solve the problem in general. There are other ways of penetrating into kernel-mode address space on x64 operating systems, for instance, as in the case of the Chinese bootkit which is detected as NSIS/TrojanClicker.Agent.BJ," they write.
Softpedia Article
 
Last edited:

My Computer

System One

  • Operating System
    Win 10 Pro x64 x 2
    Manufacturer/Model
    Alienware ALX x58
    CPU
    Intel® Core™ i7-975 Extreme O/C to 4.02 GHz, 8MB Cache
    Motherboard
    Asus® P6T Deluxe V2 X58 LGA1366
    Memory
    24GB Corsair Vengeance DDR3 SDRAM at 1600MHz - 6 x 4096MB
    Graphics Card(s)
    1792 MB NVIDIA® GeForce® GTX 295 Dual Core
    Sound Card
    Onboard Soundmax® High-Definition 7.1 Performance Audio
    Monitor(s) Displays
    Samsung XL2370 HD LED backlit 23" W/S 2ms response time
    Screen Resolution
    1920 x 1080
    Hard Drives
    2 x 500gb SATA II
    1 x 1TB SATA II
    1 external eSATA LaCie 3TB
    (Non-RAID)
    PSU
    Alienware® 1200 Watt Multi-GPU
    Case
    Unique
    Cooling
    4 case fans @ CPU water cooling.
    Internet Speed
    1gb/s up and down

My Computer

System One

  • Manufacturer/Model
    HP/Compac Pasario SR
    CPU
    Single 3.42Ghz rated 4.0
    Motherboard
    Unknown
    Memory
    3GB
    Graphics Card(s)
    3450 series ATI Radeon 512MB
    Sound Card
    Realtek HD Audio
    Monitor(s) Displays
    CRT 17' Compac
    Screen Resolution
    1440x900
    Hard Drives
    150GB/OS
    40GB/Internal/storage
    Case
    Black 5 USB Ports/CD/DVD RW/R
    Cooling
    Double Fans/Single CPU Fan
    Keyboard
    HP
    Mouse
    USB Optical Mouse Optimal/Stobe
Back
Top