TDL4 TDSS Bootkit gets improved

The improvements in the new TDL4 bootkit versions are suggesting that the original code was outsourced. For example in the older TDL4 versions the computer infection was initialized by infecting the Master Boot Record(MBR) of the hard disk with malicious code and the attempts to fix it were initially thwarted hooking and malforming the disk read-write operations.

In the recent TDL4 versions, the bootkit does not infect the MBR anymore, instead it creates its own primary and hidden partition with a new improved virtual file system at the end of the hard disk, add an entry in the partition table pointing to it and mark it as active, that’s mean bootable, the original one containing Windows remaining as a simple non-bootable primary partition. The MBR modifications are malicious in their meaning but do not contain any malicious code.

As a parenthesis, it must be said that the standard MBR layout supports only four entries as primary partitions in the partition table and only one must be marked as bootable.

In the new TDL4 scheme, the initializing sequence is as follows: computer BIOS reads the MBR of the hard disk, finds the primary partition marked as active(bootable) and transfers the control to its VBR. The infected VBR transfers the control to the bootkit “loader” which is responsible for bootkit components loading and finally for transferring the control to the original active partition which contains Windows. The bootkit components were renamed, for example the bootkit “loader” is not ldr16 anymore like in earlier TDL4 versions, instead it is now named boot.

The virtual file system of the malicious partition was improved aswell by extending its capacity to hold more than 15 files how it was in the earlier version, being now ready to be fulfilled until it reach the partition size. Also two new features were added to the bootkit: it can now do a CRC check on its components and if any file modification is detected the respective file is removed from the malicious file system or even the execution flow is stopped and the computer becomes unbootable. The second new feature is the checks performed by the bootkit dropper in order to detect if it runs in a virtual environment attempting to complicate the malware analysis and implicitly its detection.

Named MAXSS by Bitdefender security provider or  Win32/Olmasco.R(the dropper) by ESET, the new TDL4 variants prove that the bootkit is under a continue development, but strictly monitored by security companies.

Keep safe !

Posted in Thoughts.

One Response

Leave a Reply