New TDL Clones in the Wild

Răzvan STOICA

April 30, 2013

Promo Protect all your devices, without slowing them down.
Free 30-day trial
New TDL Clones in the Wild

New TDL clones are making the rounds these days, according to Bitdefender Labs antimalware researcher Marius Tivadar. The samples in question (which are just now completely analyzed) date from the beginning of April.


The basics are the same as for any other TDL variant – the master boot record gets infected, there is a 16-bit component and 32/64 bit DLLs.

Taking a look at the code, we can see that to decrypt the sectors where the components are stored, the RC4 key used is also XORed with 0x42965246:

snippet_mbr

The encrypted filesystem looks like this:

fs
and we can see that, unlike other TDL clones, all the files have names made up exclusively of digits (perhaps chosen at random)
Previous clones used intuitive names for files: ldr16/ldr32/ldr64/mbr.

The configuration file is almost unchanged, except there aren’t almost any readable strings:

cfg

 

while the mbr loader binary looks like this:

mbr

Unfortunately, the TDL bootkit family remains relatively unknown in the wider IT security community, as the low detection rates from other major antivirus companies prove.

Bitdefender antimalware researchers have updated the free rootkit remover to deal with the latest TDL clones.

tags


Author


Răzvan STOICA

Razvan Stoica is a journalist turned teacher turned publicist and technology evangelist. Recruited by Bitdefender in 2004 to add zest to the company's online presence.

View all posts

You might also like

Bookmarks


loader