TDL3, the first Windows x64 compatible kernel mode rootkit infection in the wild, is here!

TDL3 rootkit is one of the most advanced rootkit ever seen in the wild. The rootkit was stable and could infect 32 bit Windows operating system; although administrator rights were needed to install the infection in the system.

TDL3 has now been updated and this time this is a major update; the rootkit is now able to infect 64 bit versions of Microsoft Windows operating system!

x64 versions of Windows are considered much more secure than their respective 32 bit versions because of some advanced security features which are intended to make it more difficult getting into kernel mode and hooking the Windows’s kernel.

Windows Vista 64 bit and Windows 7 64 don’t allow every driver to get into kernel memory region due to a very strict digital signature check. If the driver has not been digitally signed, Windows won’t allow it to be loaded. This first technique allowed Windows to block every kernel mode rootkit from being loaded, because malwares aren’t usually signed – at least, they shouldn’t be.

The second technique used by Microsoft Windows to prevent kernel mode drivers from alterating Windows kernel behavior is the infamous Kernel Patch Protection, also known as PatchGuard. This security routine blocks every kernel mode driver from alterating sensitive areas of the Windows kernel – e.g. SSDT, IDT, kernel code.

These two techniques combined together allowed x64 versions of Microsoft Windows to be much better protected against kernel mode rootkits.

The first attempts of breaking this Windows security had been run by Whistler bootkit, a framework bootkit sold in the underground and able to infect both x86 and x64 versions of Microsoft Windows.

But this TDL3 release can be considered as the first x64 compatible kernel mode rootkit infection in the wild.

The dropper is being dropped by usual crack and porn websites, but we soon expect to see it dropped by exploit kits too, as happened to current TDL3 infections.

Read more at Prevx.

Download this VPN to secure all your Windows devices and browse anonymously
Posted by on , in Category Security with Tags
Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.

2 Comments

  1. I am not in the least concerned about these rootkits as far as my own computers are concerned. Why?

    Key information:

    “The dropper is being dropped by usual crack and porn websites, but we soon expect to see it dropped by exploit kits too, as happened to current TDL3 infections.”

    Folks who visit porn and crack sites are just itchin’ to infect themselves with something. Risky behavior almost assures self-infection. And “exploit kits” pretty much depend on users browsing with poorly-maintained systems that have outdated anti-malware, unpatched OSes and insecure browsers, and users themselves who need their computing practices “patched” and updated. *heh*

    Users needing behaviors “patched”? Here’s the final damning fact: “administrator rights were needed to install the infection in the system.” IOW, these require user intervention to install. Users who routinely circumvent or ignore Windows’ built in nag about whether to install a requested app are also just asking to infect themselves with malware, as much as–or more than–users who routinely visit porn or crack sites.

    While browsing, etc., in a sandbox can make many of these sorts of malware trivial dangers, simple safe computing practices are just as effective, IMO and have prevented malware installation on all my own network’s computers for nearly 20 years–since before the web even evolved. (“It ain’t paranoia if they really are out to get you,” is a good basis for safe computing practices. :-))

  2. Ahinigami

    @David
    TL;DR: I don’t really see any problem with surfing porn website or crack site as It’s what the “USER” itself desired for. “Folks who visit porn and crack sites are just itchin’ to infect themselves with something”, I seriously don’t think so you have the right to criticize other people behavior as that is their freedom. I rarely visit porn site or download porn so I’ve never experienced getting a virus from downloading porn nor do I itching to infect myself with something.

    To sum up everything, I don’t really think you should criticize on people behavior to surf porn and crack sites and brag yourself for not being infected for the past 20 years. What your doing is nothing like a arrogant kid who think he is so high and mighty (acting) to have never surfed porn and crack site (My assumption based on your post and yes I might be wrong, sorry for that). I know your talking something about security but as stated above, TL;DR.

    Btw, I do feel (slightly) ashamed of myself for my “ENGRISH”(Yeah I know my english is bad), surfing porn site because I’m only 17 now and I started that 3 years ago, acting like a smart ass and criticize people behavior.

    P.S: I apologize if my post offense anyone directly or indirectly but I just feel the “URGE” to ramble my thought out.

Leave a Reply

Your email address will not be published. Required fields are marked *


4 + 5 =