New TDL4 rootkit successfully hiding from AV
A new variant of TDL4 has been identified, and it is now ranked as the second most prevalent malware strains within two months since detection.
The characteristics are similar to the iteration of the TDL4 rootkit, detected by Damballa a month ago. Damballa picked it up through its network behavioural analysis software, which detected the generated domain names that this new TDL4 variant apparently uses for command-and-control communication.
Since Damballa could only determine the existence of the new malware by looking for domain fluxing, it was concluded that no binary samples of the new malware had been identified and categorised by commercial antivirus products operating at the host or network levels.
HitmanPro, however, has detected Sst.c – also known as Maxss, a modification of the TDL4 strain and it is spreading fast.
This new variant is capable of infecting the Volume Boot Record (VBR) (also known as Partition Table), and commercial antivirus products are unable to detect it, let alone remove the malware.
Joseph Souren, Vice President and GM Wave Systems EMEA, has provided the following commentary:
“Following the success of TDL4, hackers have been able to use the rootkit to develop new variants that continue to go undetected by antivirus. The latest iteration, dubbed Sst.c, infects the Volume Boot Record.
Without embedded hardware security to detect anomalies of behaviour in the boot process, it starts to cause havoc damaging the network. It also reduces the window of detection for the enterprise to contain the threat.
The best defence is based on the Trusted Platform Module (TPM) chip. The TPM stores the signatures of critical start-up components of the machine, and the ones that are most important are used early in the boot process before the antivirus initiates.
By utilising TPMs, the enterprise can collect data from the computers and correlate computer information that is not visible for traditional malware scanning software. The IT manager is alerted when unwanted changes are detected.
It’s undoubtedly not the last we will hear of these types of Advanced Persistent Threats (APT) and activating and managing embedded hardware security is the only way to detect these attacks early enough to prevent damage to the network.