Windows Remains Vulnerable to TDL4 Rootkit

Wednesday, November 17, 2010



Despite efforts to increase security in the most recent versions of Microsoft operating systems, they remain vulnerable to innovative bypass exploits.

Although there have been numerous patches released over the last two years to eliminate risks posed by TDSS rootkits, newer versions of the old foe keep surfacing faster than they can be mitigated.

How does the old adage go? Something like 'good security efforts always keep us one step behind the bad guys'?

The latest version of the TDSS rootkit exploit known as TDL4 - and sometimes referred to as a "bootkit" - manifests as an infection in the master boot record of an infected PC by using kernal-level code.

TDL4 finds opportunity where Microsoft allows the use of unsigned drivers by manipulating which programs the operating system recognizes as being permissible to do so.

"Starting with Windows Vista, kernel-mode code signing enforcement is implemented by a component known as Code Integrity. Code Integrity is a feature that improves the security of the operating system by verifying the integrity of a file every time that the image of the file is loaded into memory. The function of Code Integrity is to detect if an unsigned driver is being loaded into kernel-mode, or if a system binary file has been modified by malicious code that may have been run by an administrator," Microsoft explains.

Analysis of the malware indicates the code involved is highly sophisticated, evidence that cyber criminals are willing to devote considerable resources to development when there is the opportunity to readily profit from the endeavor.

The widespread use of Microsoft operating systems makes the targeting of Windows 7 and Vista machines very attractive.


Possibly Related Articles:
Viruses & Malware
malware Rootkits Windows Vulnerabilities Exploits Headlines
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.