TDSS Bootkit Spawns Clones

TDL 4 variants have surfaced recently, making security researchers suspect that the code may have been sold on the black market.

It seems VXers are already at work making it more dangerous and one of the main areas of innovation seems to be the file system used.

fs-tdl — TDL4 FileSystem, the original. A more recent sample will look a little different.

Two new off-shoots have attracted the attention of Bitdefender antivirus researchers in the past month.

The Sst family, also known as MAXSS, is provided with a new and different type of virtual filesystem for storing its own executable modules. The bootkit even comes with anti-tampering features akin to those used by Windows itself – it does a CRC check on its components at boot time and halts the system if it detects any changes.

MAXSS/SST filesystem — MAXSS/SST FileSystem - Components look almost like those in TDL4

In its most recent incarnation, Sst goes one better (worse?), by storing the actual boot-loader in a new, separate, bootable partition of its own creation.

In this manner, it avoids altering the MBR of the original system disk, further complicating detection. It seems to work, too, as many AV products are still unable to find and clean recent variants of Sst.

The Pihar family is another notable offshoot of the TDSS family tree. Detected by Bitdefender in three separate variants so far, Pihar makes use of a simpler filesystem to store itself and its payload, and skips encryption altogether.

Pihar FileSystem hex dump — Pihar FileSystem - Components with different names

“We will continue to give special attention to these e-threats which are emerging even as TDL4 development appears to have stagnated” concluded Bitdefender antivirus researcher Marius Tivadar.

Free-as-in-beer TDSS removal tools have been released by Bitdefender. Get them here while they’re hot.