The TDL3 rootkit is a sophisticated rootkit variant that targets 64-bit machines. It gains control during the boot sequence by altering the Master Boot Record, avoiding detection from security preventions. The TDL3 rootkit encodes and decrypts files to avoid detection, hunts for processes to infect, and has mechanisms to prevent removal like a watchdog thread. It was the first significant 64-bit rootkit and poses risks as malware evolves in an ongoing security "chess match".

1. TDL3 Rootkit
A Sans NewsBite Analysis by
Marshall Washburn

2. Topic: TDL3 Rootkit variant
• SANS NewsBites - Volume: XII, Issue: 70
(August 26, 27 & 30, 2010)
• TDL3 Rootkit, version 3.273
• Combination of MBR rootkit, Rustock.C and
old Tdss variants.
• Stealthiest in the world.

3. Rootkits
• Wikipedia – “A rootkit is software that enables
continued privileged access to a computer,
while actively hiding its presence from
administrators by subverting standard
operating system functionality or other
applications”
• High risk, 1-in-5 Windows machines.
• “Root” and “kit”

4. Rootkits
• Netsecurity.about.com – “A rootkit allows
someone, either legitimate or malicious, to
maintain command and control over a
computer system, without the computer
system user knowing about it”
• Typically 32-bit problems

5. Rootkits
• Rootkit are not really viruses
• Machine independent
• Remote access
• Anti-virus level access

6. Prevention
• Digital Signature check for rogue drivers
• “PatchGuard” prevents some changes to
Windows kernel.
• Vista and Win7 do not allow Admin

7. TDL3 Rootkit
• Also known as Alureon rootkit
• More sophisticated
• Version 3.273
• Targets 64-bit machines that were previously
considered safer
• Spread through websites and exploit kits

8. TDL3 Rootkit
• Gains control during the boot sequence
• Alters Master Boot Record. This gets around
the 1st two preventions.
• Enacts a restart, which loads the altered MBR
and catches process signals.
• Encrypted with ROR loop (rotate right).

9. TDL3 Rootkit Details
• Kernel code appears as raw bytes, passes
security.
• TDL3 encodes and decodes files on the fly, so it
can pass as being a piece of the kernel code.
• At startup, hunts for driver object.
• Overwrites 824 bytes, avoiding file size check
• Fake driver object, captures disk I/O, hunts for
kernel32.dll
• Infection

11. TDL3 Rootkit
• Has a watchdog thread to prevent any change to
the service registry key
• No one can get a handle to infected driver file(red
flag)
• In Feb. it caused BSOD with MS10-015 update
• RVA(Relative Virutal Address) offsets of Windows
kernel APIs modified and use them to find
functions. On the update, the values were
changed. After restart, the rootkit called an
invalid address

12. TDL3 fights back
• While this caused a BSOD, it did bring notice
to a potential problem
• TDL3 authors updated within hours that
worked with the update.
• Process was called tdlcmd.dll or z00clicker.dll

13. TDL3 Rootkit
• First significant 64-bit rootkit
• Malware begets more malware
• Anti-virus lag
• Security chess match

14. Cited Sites
• http://www.guidingtech.com/4467/what-is-a-
rootkit/
• http://www.prevx.com/blog/154/TDL-rootkit-
x-goes-in-the-wild.html
• http://www.prevx.com/blog/143/BSOD-after-
MS-TDL-authors-apologize.html
• http://www.prevx.com/blog/139/Tdss-rootkit-
silently-owns-the-net.html