Microsoft Patch Disables TDL4 Rootkit on 64-Bit Windows

Modifications made as part of a Windows update released by Microsoft this week effectively kill the notorious TDL4 rootkit on 64-bit Windows Vista and 7.

Since 64-bit Windows only accepts digitally-signed drivers, there are very few rootkits that manage to infect such systems.

One of them is TDL4, the latest version from the TDSS family of rootkits. It installs itself in the master boot record, making it possible to modify the operating system since the first moment it starts.

On 64-bit systems, it leverages a BCD (Boot Configuration Data) option called BcdOSLoaderBoolean_WinPEMode to disable the code integrity checks in the OS.

On Tuesday, Microsoft released KB2506014, an update which according to the corresponding advisory "addresses a method by which unsigned drivers could be loaded by winload.exe."

Security researchers from ESET note that this update removes the BcdOSLoaderBoolean_WinPEMode option abused by the TDL4 rootkit. In addition, the update intentionally modifies the size of a file called kdcom.dll by adding a KdReserved0 exported symbol.

Under normal circumstances TDL4 checks the size of this file's export directory and replace it with its own malicious version. According to the ESET researchers the change made to kdcom.dll serves no other purpose than to prevent the rootkit from replacing it.

They also point that users of 32-bit Windows won't benefit from this update unless they install it manually, because TDL4 disables the Windows Update service on such systems.

"Although the patch helps with this particular case it doesn’t solve the problem in general. There are other ways of penetrating into kernel-mode address space on x64 operating systems, for instance, as in the case of the Chinese bootkit which is detected as NSIS/TrojanClicker.Agent.BJ," they write.