[Meriadoc]

Probably this is only debug versions :)

"we gonna make our own tdl4! With blackjack and hookers"

lol

Lol, 'In fact, forget tdl4.' :)

[SecConnex]

Keep in mind, PatchGuard is only a barrier...not a total block. It keeps user-mode malware from patching the kernel. But, what about kernel-mode malware? Cannot help that.

No matter what, if a kernel driver attempts to intercept with another kernel driver with the correct instructions, it's going to override PatchGuard.

As long as descriptor tables do not get modified, or patching kernel code, malware can get in.

[EP_X0FF]

Dropper of this new TDL is priority target. This TDL includes (at it's FS) two workable loaders - one for 32 (ldr32) and one for 64 (ldr64), it also keeps copy of original mbr now (like with resource section earlier). Any clue how it installs on x64?

[SecConnex]

There definitely has to be a spot, which the malware authors have found that is vulnerable. And the best time to strike, would be when Microsoft is busiest dealing with other vulnerabilities.


NtQueryVirtualMemory?


Looks like malware authors purchased/stole a new certificate.

Look at this: http://fyyre.ivory-tower.de

[EP_X0FF]

And? What is the point in this function? Bootkit solves all problems with certificates. There is no need to steal what you simple don't need.

[Elite]

So has the source been sold?

[DiskOgre]

I find it hard to believe that the source would be sold. This rootkit is far too profitable and effective, and the changes are obviously big and done by professionals. Seems to me that this is just the test run of what's likely to be TDL4, working-out the kinks before it replaces TDL3 entirely.

Now, to find a dropper...

[Fyyre]

PEAUTH need not be set to manual, that is something I found out later, but never bothered to update the original document.

If TDL authors received any inspiration from my bootkit_fasm, then I will say "neat". I am glad someone is able to apply this idea elsewhere..

-Fyyre

You actually know that 64-bit drivers must be signed? Without stealing a certificate or abusing an already signed driver there are bootkits the only way to get in.

Code: Select all

;To disable driver signature enforcement requires service PEAUTH set to Manual or Disabled.
;
;SepInitializeCodeIntegrity calls CIInitialize in CI.dll, if we do not manual/disable the
;service PEAUTH (peauth.sys), a BSOD will occur at the logon screen.  (peauth calls invalid
;memory).

[a_d_13]

Hello,

I can now confirm that the latest TDL3 has a working 64-bit driver. It supports injecting into 32- and 64-bit processes from kernel-mode, and is capable of hiding data just like the 32-bit version.

Thanks,
--AD

[EP_X0FF]

The same LoadImage notify routine, the same APC, and added logic to determine type of process to inject.
Ironically it appears that 32 bit Windows is more protected than x64.

Welcome to x64 rootkits era.

So has the source been sold?

Long time ago, remember z00clicker version? :)

I believe time from April to August was used to create this cross-platform TDL. Four month is very matching to required R&D. This explains why was nothing new from tdl stuff these time.
And currently we watch some sort of beta releases.