Latest Generation of TDSS Rootkit Gets a Serious "Upgrade"

GFI Software made it in the books of Philippine cybersecurity history by taking part in RootCon, the first official security conference in the Philippines, which was held in Cebu City last month. Two of ours—Berman Enconado (Senior Malware Analyst at the Manila Labs) and Christopher Boyd (Batman)—had given talks during this two-day event. One of the topics we discussed was about TDL4, the fourth generation TDSS rootkit that made waves in June of this year because of its ability to propagate via removable drives / LAN and infect the Master Boot Record (MBR), allowing it to load on infected systems before the OS does.

Our friends at ESET have in depth analyses of this TDSS rootkit, and from what they have observed as of late, this nasty malware have evolved again; however, it's not the kind of evolution anyone might have expected:

"Based on the analysis of its components we can say that some of those components have been rewritten from scratch (kernel-mode driver, user-mode payload) while some (specifically, some bootkit components) remain the same as in the previous versions. These changes might suggest one of the following: either the team developing the botnet has been changed, or TDL4 developers have started selling a bootkit builder to other cybercrime groups."

You can read more about it here on their official blog. By the looks of this, this TDSS is becoming more and more sophisticated the longer its developers continue to improve on it.

Jovi Umawing