TDL3 - Why so serious? Let's put a smile on that face ...
TDL or TDSS family is a famous trojan variant for its effectiveness and active technical development. It contains couple compoments: a kernel-mode rootkit and user-mode DLLs which performs the trojan operation such as downloaders, blocking Avs, etc,. Since the rootkit acts as an “injector” and protector for the usermode bot binaries, almost all technical evolutions of this threat family focus on rootkit technology so as to evade AV scanners.
As in its name, TDL3 is 3rd generation of TDL rootkit which still takes its aims at convering stealthy existences of its malicious codes. Beside known features, this threats is exposed with a couple of impressive tricks which help it bypassing personal firewall and staying totally undetected by all AVs and ARKs at the moment. These aspects and techniques will be discussed in more detail in the sections that follow.
You can read the full article here:
And PDF version:
I hope this analysis would shed some light on darkest part of this brand new and truly effective & widespread rootkit/bot. I'm looking forward hearing feedback and discussion from you guys
-Nguyen Pho Son aka thug4lif3