LinkBack URL
About LinkBacks
PrevX has just posted information about brand new x64 compatible TDL3 rootkit (version 0.02) found in the wild.
This TDL3 release can be considered as the first x64 compatible kernel mode rootkit infection in the wild.Source: PrevX BlogTo bypass both Kernel Patch Protection and Driver Signature verification, the rootkit is patching the hard drive's master boot record so that it can intercept Windows startup routines, owns it, and load its driver. Both Windows security mechanisms are bypassed.
Results 1 to 10 of 44
Thread: ITW x64 TDL3 rootkit
- Experienced User
- Join Date
- May 2010
- Posts
- 3,271
- Liked
- 155 times
- Points
- 6,541
ITW x64 TDL3 rootkit
Windows 7 SP1 Ultimate x86 + KIS 2011 (11.0.2.556 b.a.c.d) + Sandboxie Paid (3.54) + Deep Freeze Standard (7.20.020.3398)
- Supernova
- Join Date
- Feb 2010
- Location
- Calcutta, India, India
- Posts
- 3,730
- Liked
- 667 times
- Points
- 48,426
Congrats to x64 users...
Every day brings a chance for you to draw in a breath, kick off your shoes, and dance.
- Digital Knight
- Join Date
- Feb 2010
- Location
- Troy, MO
- Posts
- 1,239
- Liked
- 1 times
- Points
- 11,871
Oh, frabjus joy!
What did we do to deserve this?"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." Einstein
- Experienced User
- Join Date
- May 2010
- Posts
- 3,271
- Liked
- 155 times
- Points
- 6,541
UAC/LUA + SRP are effective countermeasures. So no need to worry…
- Moderator
- Join Date
- Dec 2008
- Location
- Italy
- Posts
- 6,895
- Liked
- 1067 times
- Points
- 71,755
We had to expect it.t looks like someone got TDL3 sources and added bootkit infection to it. This is because the TDL3 rootkit is now targetting the Master Boot Record, as MBR rootkit did years ago and as Whistler Bootkit is currently doing.
A good reason more to keep Windows, Sun Java, Adobe Reader and Adobe Flash Player always up to date, to download software only from trusted sources avoiding P2P/filesharing and practicing a safe surfing.Last edited by leofelix; 08-27-2010 at 03:31 AM.
Roger and out
- Experienced User
- Join Date
- Jan 2010
- Location
- India
- Posts
- 2,665
- Liked
- 13 times
- Points
- 38,657
For using Windows
Originally Posted by Ande 
I'm the Beauty and you are the Beast.
- The Specialist *
- Join Date
- May 2010
- Location
- KOLKATA
- Posts
- 5,162
- Liked
- 731 times
- Points
- 47,580
Little bit late but finally it reaches x64
.
I don't need to know everything, I just need to know where to find it, when I need it.
- Modern-day Romeo
- Join Date
- Jul 2009
- Location
- Singapore, the "Little Red Dot" on the map
- Posts
- 6,159
- Liked
- 476 times
- Points
- 61,007
Simply avoid downloading/installing that "codec" when you relief your addition and make sure your browser runs with reduced right at the very least.Our Prevx community spotted the infecting dropper more than 9 days ago and we are now seeing new samples reported every day. This means the infection is spreading on the web, by using both porn websites and exploit kits.
Your prevention measure is right in front of your very own eyes.....something that many still refuse to adopt because of annoyances and repeated prompts but nevertheless if taken with a pinch of salt, may prove to be useful after all.The rootkit needs administrative privileges to infect the Master Boot Record. Even then, it still cannot load its own 64 bit compatible driver because of Windows's kernel security. So, the dropper forces Windows to immediately restart. This way, the patched MBR can do the dirty work.They call me the mysterious one...
my motto is...when it's hot, chill baby
- Experienced User
- Join Date
- Jun 2010
- Posts
- 1,494
- Liked
- 90 times
- Points
- 8,697
lol thx for complimenting ..Congrats to x64 users...
looks dangerous to me .. especially association with MBR ...
Love me , Hate me but you just can't Ignore me 
- Experienced User
- Join Date
- May 2010
- Posts
- 3,271
- Liked
- 155 times
- Points
- 6,541
It is actually dangerous. Next version will be more stable with more infection paths and damages. Originally Posted by :Neo:
Reply With Quote
Originally Posted by Ande 
Similar Threads
-
Mebromi: Here comes the first BIOS rootkit
By linked in forum Spyware/VirusesReplies: 10Last Post: 09-17-2011, 05:25 AM -
Rootkit.TmpHider
By Ceyfer √ in forum Spyware/VirusesReplies: 24Last Post: 08-02-2010, 05:02 AM -
MBR Rootkit!!!! Help ASAP!!!
By lilangel186 in forum Spyware/VirusesReplies: 6Last Post: 02-06-2010, 10:28 AM
