World's most advanced rootkit penetrates 64-bit Windows


Back to the 90s

I remember back when boot-sector viruses were the norm. Over the last 2 decades, this changed to infected EXEs, then email worms, then drive-by malware and then hidden services and rootkits. Over that time traditional antivirus vendors seems to have forgotten about bootsectors and MBRs and focus purely on file-level detection. Whoops. Round we go again. Considering how easily it is to compare the boot-region with a known good example, or indeed a previous backup of the current boot-region, it's damn negligent for the current generation of antivirus applications not to check for this!

I've personally had to clean TDL4 from a few clients' machines in the last few weeks - I have to say it's extremely impressive in its sophistication. Additionally, most of the TDL4 specific removal tools and my favourite ComboFix, which 'clean' the MBR, only replace the first chunk of the MBR and not the whole code, causing Vista, in particular, to go into a 0x0000008E endless loop on boot up. The fix for this seems to be to use 'Testdisk' to write a new MBR, which kills the boot process completely, then using the Vista CD, repair startup option to create a fresh boot-region.


Back to the forum


Biting the hand that feeds IT © 1998–2017