TDSS: The Next Generation
Win32/Olmarik (also known as TDSS, TDL, Alureon and sundry less complimentary names) has gone through some interesting evolutions in the last couple of years.
TDL4 is no exception, with its ability to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled.
In a new ESET white paper on The Evolution of TDL: Conquering x64, Eugene Rodionov and Aleksandr Matrosov look at the GangstaBucks gang that has been distributing TDSS since DogmaMillions shut up shop, then dive deeper into analysis of the bootkit.
You may also find their previous white paper TDL3: The Rootkit of All Evil? and Virus Bulletin article Rooting about in TDSS* of interest.
* Available on the white papers page by courtesy of Virus Bulletin, who hold the copyright.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
4 Responses to “TDSS: The Next Generation”
Leave a Reply
- David Harley (743)
- Randy Abrams (431)
- Cameron Camp (111)
- Stephen Cobb (62)
- ESET Research (56)
- Pierre-Marc Bureau (51)
- Aryeh Goretsky (29)
- Andrew Lee (15)
- Jeff Debrosse (12)
- Robert Lipovsky (12)
- Paul Laudanski (11)
- Sebastian Bortnik (8)
- Dan Clark (6)
- Righard Zwienenberg (6)
- Sébastien Duquette (5)
- Peter Stancik (4)
- Alexis Dorais-Joncas (3)
- Tasneem Patanwala (3)
- Aleksandr Matrosov (2)
RSS
March 30th, 2011 at 11:29 am
Your links are broken.
March 30th, 2011 at 11:41 am
?!*?£$! Again!!!! Thanks, Henri. Fixed, I hope.
March 30th, 2011 at 3:15 pm
Great write up, David – thank you.
Are the in working order – are they current ?
Regards,
March 30th, 2011 at 11:58 pm
Randy, do you mean the links? They were mysteriously corrupted when the post was posted. That happens on this blog occasionally: I must remember to check them after they're posted as well as before, but it hasn't happened for a while and I got sloppy.