Forensic examination of TDL4 infected computers
It all started with the fact that at the beginning of last summer we had a number of tasks related to the quick extraction of a hidden container of the Win32 / Olmarik rootkit file system, then in the TDL3 version. With a little thought, we developed the first version of the TdlFsReader utility that handles TDL3 and TDL3 +. After some time, it was published in the public domain and helped a lot in the tasks of forensic examinations. However, at the end of summer, the fourth version of this rootkit appeared, which already had fundamental differences in the file system: now it was more like a full-fledged file system.
And we delved into the study of the new version of the rootkit, because it was fundamentally different from the previous one. After some time, the internal version of TdlFsReader was updated. And last month we had a chance to speak at the wonderful CONFidence'2011 conference in Krakow, where the report “ Defeating x64: The Evolution of the TDL Rootkit ” was presented and within the framework of which a new version of TdlFsReader was presented (hxxp: //eset.ru/tools /TdlFsReader.exe).
So, now we’ll tell you more about the tool itself. Actually, the new version is able to cope with all known modifications at the time of publication. And this is TDL3 / 3 + / 4, and copes not only with x86 versions, but also x64.
Now a little about the architecture of TdlFsReader, actually it is divided into two parts, the one in the kernel and the one not :)
The main point is determining the rootkit version, removing the mechanisms that oppose the analysis, and only then gaining access to the file system and its analysis.
Well, as a bonus - another video with debugging bootkit code in TDL4, which, in fact, bypasses the verification of digital signatures in drivers for x64 systems.
And we delved into the study of the new version of the rootkit, because it was fundamentally different from the previous one. After some time, the internal version of TdlFsReader was updated. And last month we had a chance to speak at the wonderful CONFidence'2011 conference in Krakow, where the report “ Defeating x64: The Evolution of the TDL Rootkit ” was presented and within the framework of which a new version of TdlFsReader was presented (hxxp: //eset.ru/tools /TdlFsReader.exe).
So, now we’ll tell you more about the tool itself. Actually, the new version is able to cope with all known modifications at the time of publication. And this is TDL3 / 3 + / 4, and copes not only with x86 versions, but also x64.
Now a little about the architecture of TdlFsReader, actually it is divided into two parts, the one in the kernel and the one not :)
The main point is determining the rootkit version, removing the mechanisms that oppose the analysis, and only then gaining access to the file system and its analysis.
Well, as a bonus - another video with debugging bootkit code in TDL4, which, in fact, bypasses the verification of digital signatures in drivers for x64 systems.