TDL4 Rootkit Bypasses Windows Code-Signing Protection

In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running. But attackers are continually finding new ways around those protections, and the latest example is a rootkit that can bypass the Windows driver-signing protection.

TDL4In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running. But attackers are continually finding new ways around those protections, and the latest example is a rootkit that can bypass the Windows driver-signing protection.

The functionality is contained in TDL4, which is the latest version of an older rootkit also known as TDSS and Alureon. TDSS has been causing serious trouble for users for more than two years now, and is an example of a particularly pernicious type of rootkit that infects the master boot record of a PC. This type of malware often is referred to as a bootkit and can be extremely difficult to remove once it’s detected. The older versions of TDSS–TDL1, TDL2 and TDL3–are detected by most antimalware suites now, but it’s TDL4 that’s the most problematic right now.

TDL4 has a specific function that is designed to bypass a protection in Windows 7 and Windows Vista that requires kernel-level code loaded onto a machine to be signed. The Windows kernel-mode code signing policy is mainly applicable on 64-bit machines.

“Starting with Windows Vista, kernel-mode code signing enforcement is
implemented by a component known as Code Integrity. Code Integrity is a
feature that improves the security of the operating system by verifying
the integrity of a file every time that the image of the file is loaded
into memory. The function of Code Integrity is to detect if an unsigned
driver is being loaded into kernel-mode, or if a system binary file has
been modified by malicious code that may have been run by an
administrator,” Microsoft says in its explanation of the functionality.

The TDL4 rootkit has implemented a feature that evades this protection by changing the boot process on protected machines, according to an analysis of TDL4 by Sunbelt Software. The rootkit accomplishes this by going in and modifying which programs Windows will allow to load an unsigned driver.

“The boot option is changed in memory from the code executed by infected
MBR. The boot option configures value of a config setting named
‘LoadIntegrityCheckPolicy’ that determines the level of validation on
boot programs. The rootkit changes this config setting value to a low
level of validation that effectively allows loading of an unsigned
malicious rootkit dll file. The rootkit dll is kdcom.dll, which is an
infected version normal kdcom.dll that ships with Windows,” Sunbelt’s Chandra Prakash wrote in the TDL4 analysis.

“The rootkit also disables debuggers by NOP’ing debugger activation
functions as described below. This makes reverse engineering this rookit
very difficult! The KdDebuggerInitialize1  function
in infected kdcom.dll called during normal execution of the system
installs the rootkit, which hooks the IRP dispatch functions of miniport
driver below the disk to hide its malicious MBR.”

Joe Johnson of Microsoft presented a talk about Alureon at the Virus Bulletin conference earlier this year, and discussed the low-level capabilities of the rootkit. The presentation addresses the rootkit’s ability to get the Windows kernel to load a fake version of the legitimate kdcom.dll, but says that the malware does not actually bypass Kernel Patch Protection. In fact, it doesn’t have to because KPP doesn’t inspect all loaded drivers, only the code used by the kernel. Alureon patches the Windows Boot Configuration Data to make the machine think that what’s loading is Windows PE, rather than a normal version of Windows, which prevents code integrity checks from being performed.

Earlier versions of the TDL/TDSS rootkit were used in affiliate marketing programs and black hat SEO campaigns. also were part of botnets and had specific functionality designed to hide other malware programs. An analysis of the first three versions of TDL/TDSS by Kaspersky Lab researchers showed that the rootkit is not only quite advanced, but is under continuous development and refinement by a motivated, talented crew.

“Given that the cybercriminals have put considerable effort into
continuing to support this malware, fixing errors, and inventing various
techniques for bypassing signature-based, heuristic and proactive
detecting, TDSS is capable of penetrating a computer even if an
antivirus solution is installed and running. The fact that bot communication with the C&C is encrypted makes
it significantly more difficult to analyze network packets. An extremely
powerful rootkit component hides both the most important malware
components, and the fact that the computer has been infected. The victim
machine becomes part of a botnet, and will have other malware installed
to it. The cybercriminals profit by selling small botnets and using
blackhat SEO,” Sergey Golavanov and Vyacheslav Rusakov wrote. “As long as a malicious program is profitable, cybercriminals will
continue to support and develop it.”

Suggested articles