Description: In this video I'll show you how the new TDL4 Rootkit uses an infected PC as a proxy server. This is one of the main -features- of the TDL4 rootkit
Q1 2011 was the most active first quarter in malware history. One of the dangerous one is TDL4, it's claimed to support all versions of Microsoft Windows, since XP including Windows 7 sp1, inclusive, and supports both x86 and AMD64 (EM64T).
TDL4 (Alurion ???) is the fourth generation of the TDSS Rootkit which hides itself on a system by infecting system files/drivers like atapi.sys, a common target because it loads early during the boot process and is difficult to detect. Newer variants, however, can target a number of other legitimate drivers in the Windows drivers folder and the Master Boot Record (MBR). Common symptoms/signs of this infection include:
• Google search results redirected as the malware modifies DNS query results.
• Infected (patched/forged) files in the Windows drivers folder.
• Infected Master Boot Record.
• Slowness of the computer and poor performance.
• Fake alerts indicating the computer is infected.
• Internet Explorer opening on its own.
• BSODs as described in this article.
The TDSS botnet, now in its 4th generation, is seriously sophisticated malware. The first response of the root kit’s authors to Microsoft's KB2506014 patch of a couple of weeks ago. This is a game of move and counter-move, and the latest development is not unexpected. The people who work on this root kit aren't going to give up, and they are technically extremely capable. This one will run and run ... and the rest of us just have to hope that TDL4 stays away from our system, because the only sure way to get rid of it is to take out your hard drive and drop it down a very deep hole. hmm.. As part of information security team I shouldn’t say this
A brand new plug-in for TDL4 kad.dll (Win32/Olmarik.AVA) implements a particularly interesting network communication protocol. Kad.dll is intended to be injected into the 32-bit svchost.exe process. The main purpose of the module is to download and execute other malicious software on the infected system. Although there is nothing new in its functionality it differs drastically from cmd32.dll and cmd64.dll in the way it receives commands and additional modules. In contrast to other known plug-ins obtaining bot instructions from C&C servers listed in a configuration file, kad.dll relies on a P2P (Peer to Peer) network generated by other bots. It is the Kademilia Distributed Hash Table (DHT) P2P protocol which kad.dll implements in order to talk with peers over the network. In contrast to a Client-Server architecture where there is a list of dedicated C&C (Command and Control) servers that the bots should talk to, in a P2P network all the peers are equivalent: that is. each node is a C&C server and a bot at the same time. As there is no single point from which bots in a P2P bot network are coordinated , such botnets are much more resistant to takedowns than Client-Server botnets.
The Kad-protocol is a kind of DHT protocol where the information is stored as a (key, value) pair. The key is an MD4 hash of value which could be a file or a keyword (part of the file name) or a node ID. The resulting hash table is distributed between the peers. Communication between peers is performed over the TCP and UDP protocols. TCP is used to transmit a file from one node to another, while UDP is used to search files and other peers in the P2P network.
Tags: rootkit , proxy , malware ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
actually TDL4 rootkit copies Stuxnet, targets Windows users
Read this interesting article :D
http://searchsecurity.techtarget.com/news/1524816/TDL4-rootkit-copies-Stuxnet-targets-Windows-users