Free ebooks ==> www.Ebook777.com
1
What’s in a Rootkit: The TDL3 Case Study
This chapter describes the TDL3 rootkit, a Windows rootkit that can serve as an example of
advanced control and data flow hijacking techniques that leverage the lower layers of the OS
architecture. Although TDL3’s infection mechanism has been rendered ineffective by
Microsoft’s kernel integrity measures introduced in 64-bit Window systems, these techniques for
interposing code within the kernel are still valuable. Indeed, TDL3 has been succeeded by TDL4,
which shares much of its evasion and anti-forensic functionality, but turned to bootkit techniques
to circumvent the Windows Kernel-mode Code Signing mechanism in 64-bit systems to carry
out its infection; we will describe these techniques in the chapter on bootkits.
This family of malware is also known as TDSS, Olmarik, or Alureon. Such profusion of
names for the same family is not uncommon, since antivirus vendors tend to come up with
different names in their reports, and it is also common for the same research team to assign
different names to different components of a common attack, especially during the early stages
of analysis.
Throughout this chapter we will point out specific OS interfaces and mechanism that TDL3
subverts. Our goal here is to show how this and similar rootkits are designed and how they work;
in chapter 3 we will show how they can be discovered, observed, and analyzed, and discuss the
tools to do so.
TDL3 distribution in the wild
First seen in 2010
1
, the TDL3 rootkit was one of the most sophisticated examples of malware
developed up to that time and its sophisticated stealth mechanisms posed a challenge to the entire
antivirus industry (and so did its successor TDL4, which extended TDL3 with bootkit technology
and became the first widely spread bootkit for the x64 platform).
TDL3 was distributed using a Pay-Per-Install (PPI) business model via the affiliates
DogmaMillions and GangstaBucks (since then taken down). The PPI scheme, popular among
cybercrime groups, resembles schemes commonly used for distributing browser toolbars.
Toolbar distributors have a special build with an embedded identifier (UID). This allows the
developer to calculate the number of installations (number of users) associated with that UID
(unique identifier provided to each downloaded package) and therefore for determining revenue.
1
http://www.eset.com/us/resources/white-papers/TDL3-Analysis.pdf
Rootkits and Bootkits (Early Access)
© 2015 by Alex Matrosov, Eugene Rodionov, and Sergey Bratus
www.Ebook777.com
