Check Point Provides Network Protection Against TDLv4 Rootkit Malware
Summary
A new "TDLv4" version of the TDSS rootkit, which was first discovered in 2008, has infected over 4.5 million machines world-wide as of April 2011. Infected machines are joined to a botnet which can be used for malicious purposes such as mounting network/endpoint attacks, allowing installation of more malware on the infected systems, distributing "spam" emails, and exfiltrating user data.
Details
TDLv4 uses a number of sophisticated components including rootkit technology and encryption, and leverages a public P2P file exchange service (Kad) for distributing system control commands to the botnet that is comprised of TDLv4-infected machines.
TDLv4 installs itself as a rootkit, which means that it executes before a system's operating system is loaded, making the malware difficult or impossible to detect by conventional antivirus/anti-malware utilities. It even has its own antivirus variant that removes competing malicious programs such as ZeuS.
As of June 2011, the TDL-4 botnet has been used to distribute nearly 30 additional malicious programs to infected machines since the beginning of the year.
More information can be found in this detailed technical analysis.
Affected Systems
Both 32 and 64 bit systems are vulnerable to this threat.
Solution
Check Point's IPS Software Blade provides protection at the network level in the latest IPS update by detecting and blocking HTTP requests to download this trojan virus. For more information see CPAI-2011-323.
Originally Published:
Last Updated: 12-Jul-2011