#webscene

#The biggest in small world

Do you have question about this tutorials? You can ask here.

TDL4 Starts Using 0-Day Vulnerability

Title Content
Title TDL4 Starts Using 0-Day Vulnerability
Type E-Book
Language English
Author Sergey Golovanov
Author website http://www.securelist.com/en/userinfo/72
Description
[TDL4 Starts Using 0-Day Vulnerability]

The Evolution of TDL: Conquering x64

Eugene Rodionov, Malware Researcher Aleksandr Matrosov, Senior Malware Researcher

Introduction

It has been about two years since the Win32/Olmarik (also known as TDSS, TDL and Alureon) family of malware programs started to evolve. The authors of the rootkit implemented one of the most sophisticated and advanced mechanisms for bypassing various protective measures and security mechanisms embedded into the operating system. The fourth version of the TDL rootkit family is the first reliable and widely spread bootkit targeting x64 operating systems such as Windows Vista and Windows 7. The active spread of TDL4 started in August 2010 and since then several versions of the malware have been released. Comparing it with its predecessors, TDL4 is not just a modification of the previous versions, but new malware. There are several parts that have been changed, but the most radical changes were made to its mechanisms for self-embedding into the system and surviving reboot. One of the most striking features of TDL4 is its ability to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled. This makes TDL4 a powerful weapon in the hands of cybercriminals. It is the abundance of references to TDL4 combined with an absence of a fully comprehensive source of essential TDL4 implementation detail that motivated us to start this research. In this report, we investigate the implementation details of the malware and the ways in which it is distributed, and consider the cybercriminals’ objectives. The report begins with information about the cybercrime group involved in distributing the malware. Afterwards we go deeper into the technical details of the bootkit implementation.

Views: 1482
Publish time
5 years ago
2019-05-23 02:43:55
Tags
Download
AcTioN

#Related tools to this tutorial :


Please login/register to Leave a Reply

Publisher:
Digital.Spirit Digital.Spirit