Microsoft patches TDL4 rootkit on 64-bit (& 32-bit) systems

Ex_Brit

If you're going through hell, keep going
Staff member
#1
Note from me: There is an extra version of April's Malicious Software Removal Tools (mrt.exe), along with miscellaneous security updates, some optional, available on Windows/Microsoft Update and apply to all systems XP, Vista and Windows 7, both 32 and 64-bit).

Modifications made as part of a Windows update released by Microsoft this week effectively kill the notorious TDL4 rootkit on 64-bit Windows Vista and 7.

Since 64-bit Windows only accepts digitally-signed drivers, there are very few rootkits that manage to infect such systems.

One of them is TDL4, the latest version from the TDSS family of rootkits. It installs itself in the master boot record, making it possible to modify the operating system since the first moment it starts.

On 64-bit systems, it leverages a BCD (Boot Configuration Data) option called BcdOSLoaderBoolean_WinPEMode to disable the code integrity checks in the OS.

On Tuesday, Microsoft released KB2506014, an update which according to the corresponding advisory "addresses a method by which unsigned drivers could be loaded by winload.exe."

Security researchers from ESET note that this update removes the BcdOSLoaderBoolean_WinPEMode option abused by the TDL4 rootkit. In addition, the update intentionally modifies the size of a file called kdcom.dll by adding a KdReserved0 exported symbol.

Under normal circumstances TDL4 checks the size of this file's export directory and replace it with its own malicious version. According to the ESET researchers the change made to kdcom.dll serves no other purpose than to prevent the rootkit from replacing it.

They also point that users of 32-bit Windows won't benefit from this update unless they install it manually, because TDL4 disables the Windows Update service on such systems.

"Although the patch helps with this particular case it doesn’t solve the problem in general. There are other ways of penetrating into kernel-mode address space on x64 operating systems, for instance, as in the case of the Chinese bootkit which is detected as NSIS/TrojanClicker.Agent.BJ," they write.
Softpedia Article
 
Last edited:

mqudsi

Mostly Harmless
Staff member
#2
!! WinPEMode was the last known remaining way of bypassing the 64-bit driver verification checks. Microsoft pretty much made it clear that any software or company that provided a way to do this would be shut down (they revoked a guy's Verisign authentication and, if I'm not mistaken, either threatened or initiated litigation).

I first came across it in the registry, then again here in the list of undocumented BCD internals: Geoff Chappell, Software Analyst - Viewer

Sorry to see it go.