TDL4 Rootkit Bypasses Windows Code-Signing Protection

In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running. But attackers are continually finding new ways around those protections, and the latest example is a rootkit that can bypass the Windows driver-signing protection.

TDL4In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running. But attackers are continually finding new ways around those protections, and the latest example is a rootkit that can bypass the Windows driver-signing protection.

The functionality is contained in TDL4, which is the latest version of an older rootkit also known as TDSS and Alureon. TDSS has been causing serious trouble for users for more than two years now, and is an example of a particularly pernicious type of rootkit that infects the master boot record of a PC. This type of malware often is referred to as a bootkit and can be extremely difficult to remove once it’s detected. The older versions of TDSS–TDL1, TDL2 and TDL3–are detected by most antimalware suites now, but it’s TDL4 that’s the most problematic right now.

TDL4 has a specific function that is designed to bypass a protection in Windows 7 and Windows Vista that requires kernel-level code loaded onto a machine to be signed. The Windows kernel-mode code signing policy is mainly applicable on 64-bit machines.

“Starting with Windows Vista, kernel-mode code signing enforcement is
implemented by a component known as Code Integrity. Code Integrity is a
feature that improves the security of the operating system by verifying
the integrity of a file every time that the image of the file is loaded
into memory. The function of Code Integrity is to detect if an unsigned
driver is being loaded into kernel-mode, or if a system binary file has
been modified by malicious code that may have been run by an
administrator,” Microsoft says in its explanation of the functionality.

The TDL4 rootkit has implemented a feature that evades this protection by changing the boot process on protected machines, according to an analysis of TDL4 by Sunbelt Software. The rootkit accomplishes this by going in and modifying which programs Windows will allow to load an unsigned driver.

“The boot option is changed in memory from the code executed by infected
MBR. The boot option configures value of a config setting named
‘LoadIntegrityCheckPolicy’ that determines the level of validation on
boot programs. The rootkit changes this config setting value to a low
level of validation that effectively allows loading of an unsigned
malicious rootkit dll file. The rootkit dll is kdcom.dll, which is an
infected version normal kdcom.dll that ships with Windows,” Sunbelt’s Chandra Prakash wrote in the TDL4 analysis.

“The rootkit also disables debuggers by NOP’ing debugger activation
functions as described below. This makes reverse engineering this rookit
very difficult! The KdDebuggerInitialize1  function
in infected kdcom.dll called during normal execution of the system
installs the rootkit, which hooks the IRP dispatch functions of miniport
driver below the disk to hide its malicious MBR.”

Joe Johnson of Microsoft presented a talk about Alureon at the Virus Bulletin conference earlier this year, and discussed the low-level capabilities of the rootkit. The presentation addresses the rootkit’s ability to get the Windows kernel to load a fake version of the legitimate kdcom.dll, but says that the malware does not actually bypass Kernel Patch Protection. In fact, it doesn’t have to because KPP doesn’t inspect all loaded drivers, only the code used by the kernel. Alureon patches the Windows Boot Configuration Data to make the machine think that what’s loading is Windows PE, rather than a normal version of Windows, which prevents code integrity checks from being performed.

Earlier versions of the TDL/TDSS rootkit were used in affiliate marketing programs and black hat SEO campaigns. also were part of botnets and had specific functionality designed to hide other malware programs. An analysis of the first three versions of TDL/TDSS by Kaspersky Lab researchers showed that the rootkit is not only quite advanced, but is under continuous development and refinement by a motivated, talented crew.

“Given that the cybercriminals have put considerable effort into
continuing to support this malware, fixing errors, and inventing various
techniques for bypassing signature-based, heuristic and proactive
detecting, TDSS is capable of penetrating a computer even if an
antivirus solution is installed and running. The fact that bot communication with the C&C is encrypted makes
it significantly more difficult to analyze network packets. An extremely
powerful rootkit component hides both the most important malware
components, and the fact that the computer has been infected. The victim
machine becomes part of a botnet, and will have other malware installed
to it. The cybercriminals profit by selling small botnets and using
blackhat SEO,” Sergey Golavanov and Vyacheslav Rusakov wrote. “As long as a malicious program is profitable, cybercriminals will
continue to support and develop it.”

Suggested articles


  • Anonymous on

    Why can't Microsoft and hardware vendors combine to for a hard drive with a physical write-lock on a disk?  Drives used to have a write-lock jumper.   Install OS to hard disk then physically write protect the hard drive.   Install user realm crap on a separate drive.  I would give anything not to have to disinfect a freaking Windows OS ever again!

  • Anonymous on

    Windows need to to turn into a flashable rom, faster boot, higher protection from this stuff.

  • P Crowley on

    When users cooperate by installing untrusted software, pretty much you can count on malware winning.


    The real hoot is that Windows XP and later have a registry setting (really in the security policy) which disallows running any unsigned executable.  This would go a long way to preventing infections.  However, Microsoft Office applications and plenty of Windows executables are not signed by Microsoft.  So this option cannot be turned on by anyone really using their computer.


    Both Windows and Linux are designed to need an "administrator" that is responsible for maintaining the machine, somewhat that is entrusted to install software and generally take care of things.  Today, most non-corporate machines are left up to the user to "administer" as best they can, which is badly.  The end result is predictable.  About the only real solution today is the iPad and things like it - utterly locked down so that only approved applications can be installed and absolutely zero administration required.  Safe, usable applianced for users and not general-purpose computers.

  • Anonymous on

    P Crowley wants to sound knowledgable, but he/she isn't.

    MS Office executables are signed, as are all Windows executables from MS. Vista and Windows 7 run most user software using a "restricted rights" token, so that administrator rights are not available by default. That's the point behind UAC, and those prompts asking if a particular program should be allowed to do something.

    I suggest P Crowley spend a little more time in self-education, and a little less spouting misinformation...

  • MeMyselfAndI on

    as of now, i've never had any problems with windows malware and will never have. coz i've never ever used this inferior malware windows. neither should you. go for ubuntu, the superior os. the only os without malware, infections, rootkits and other whatsoever windows-only specialities.

  • Conrado on

    "Microsoft has introduced a number of new security features"

    Why always introduce new features? If just micro$oft fixed the old ones, windows could one day be a good software.

  • Mike on

    Why can't someone use this functionality to allow Windows users to take legitimate control of their machines?  The whole Code Integrity "feature" that Microsoft added was not for security, but to satisfy the DRM requirements of High Def video crowd.  It's designed to prevent one from easily ripping a high def video stream en route to your monitor.  It is disappointing that the freedom to tinker community has so far been cowed by Microsoft and its legal threats giving the rootkit makers the only ones offering this sort of technology. 

  • e on

    There is already functionality in Vista that prevents this type of attacks. It's called bitlocker in conjunction with a TPM chip. If the MBR gets changed the system will refuse to boot.

  • e on

    In Vista means "starting with Vista". That includes Windows Server 2008, Windows 7, etc. Stating the obvious.

    Oh, of course it doesn't work on XP nor Win2k nor win9x nor DOS. For those I am sorry I don't have a real solution.

  • Kooberfacer on

    In the end the weakest link is still the human being.You can squawk all you want about linux ,ubuntu, or windows but none of them are secure if the user continues to use software that not digitally signed, comes from a  trusted source, or porn.Porn is the biggest and most used way for malicious software to get on a system.

    I use both systems but i favor windows since most of my apps run well with it.Linux is for users who want to configure EVERYTHING manually.Most folks dont have the time to do this since time with family, friends, and a life outside the internet takes priority.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.