TDL3 rootkit is one of the most advanced rootkit ever seen in the wild. The rootkit was stable and could infect 32 bit Windows operating system; although administrator rights were needed to install the infection in the system.
TDL3 has now been updated and this time this is a major update; the rootkit is now able to infect 64 bit versions of Microsoft Windows operating system!
x64 versions of Windows are considered much more secure than their respective 32 bit versions because of some advanced security features which are intended to make it more difficult getting into kernel mode and hooking the Windows’s kernel.
Windows Vista 64 bit and Windows 7 64 don’t allow every driver to get into kernel memory region due to a very strict digital signature check. If the driver has not been digitally signed, Windows won’t allow it to be loaded. This first technique allowed Windows to block every kernel mode rootkit from being loaded, because malwares aren’t usually signed – at least, they shouldn’t be.
The second technique used by Microsoft Windows to prevent kernel mode drivers from alterating Windows kernel behavior is the infamous Kernel Patch Protection, also known as PatchGuard. This security routine blocks every kernel mode driver from alterating sensitive areas of the Windows kernel – e.g. SSDT, IDT, kernel code.
These two techniques combined together allowed x64 versions of Microsoft Windows to be much better protected against kernel mode rootkits.
The first attempts of breaking this Windows security had been run by Whistler bootkit, a framework bootkit sold in the underground and able to infect both x86 and x64 versions of Microsoft Windows.
But this TDL3 release can be considered as the first x64 compatible kernel mode rootkit infection in the wild.
The dropper is being dropped by usual crack and porn websites, but we soon expect to see it dropped by exploit kits too, as happened to current TDL3 infections.