14 DAY TRIAL // TDL4, one of the most sophisticated rootkits capable of infecting 64-bit Windows systems, was updated by its developers to bypass a recent Microsoft patch that interfered its operation.
During last month's Patch Tuesday, on April 12, Microsoft issued an update that made some changes particularly designed to disable TDL4's hiding mechanism.
TDL4 is part of the notorious TDSS family of rootkits and was the first rootkit capable of infecting 64-bit Windows systems.
By default, 64-bit versions of Windows 7 and Vista only accept digitally signed drivers, therefore the vast majority of rootkits which use custom drivers to interact with the disk and hide their presence, can't function on such systems.
TDL4 is different because it patches the Windows Boot Configuration Data (BCD) in real time in a way that allows it to bypass the OS driver signature check.
One of the modifications made by Microsoft's KB2506014 update involved changing the size of kdcom.dll's PE export directory in order to interfere with the TDL4 infection routine which checks this value to determine if the file needs to be replaced with a rogue version or not.
According to researchers from security vendor Prevx, the TDL4 developers reacted to this change by releasing a new version of the rootkit that no longer performs this check.
Instead it patches Windows' digital signature check routines for kdcom.dll directly to return an error the system doesn't recognize forcing it to proceed with the booting routine normally.
In addition, the rootkit's developers also changed the way in which the rootkit hooks the system miniport disk driver, a method that allowed anti-malware programs to detect its presence.
"As we already know, TDL4 rootkit steals the driver object of the last miniport driver and hijacks the disk driver's DR0 device, attaching it to its own filtering device. By walking the rootkit driver's chain of devices, it was trivial to get a pointer to the real hooked miniport driver object.
"This geometric structure helped many tools in spotting the presence of the TDL rootkit active in the system. Current TDL4 release removes every reference to the hooked miniport driver object, bypassing many AntiRootkit TDL4 detection routines," explains Prevx's Marco Giuliani.