TDL3: The Rootkit of All Evil?
TDL-3's been "in the wild" for some time (2008?) from everything I can tell,
but this weekend was the first time I've run across it. I'm posting this
because I was altogether unable to get a handle on this thing until I got
this client's desktop on the bench, and to make others aware there are
increasingly sophisticated rootkits out there.
My SOP (standard operating procedure, aka SOB) simply was not fixing this
thing. I'd run Spybot and Malwarebytes only to have them come up clean.
Antivir would clean malicious files, a dozen in one day at one point, but also
seemed unable to get to the root (no pun intended) of what was going on.
Basically what was occurring was this client's PC would get reinfected, and
was running slow as well as suffering redirects from a Google search page (a
primary symptom it turns out).
Combofix, my "last resort" app found it, supposedly removed it on a reboot,
only to have the thing return. There's a dropper in there somewhere. Finally
I found a Kaspersky tool, which is available here:
Running TDSSkiller turned up the rootkit as HD0, which is unusual to say the
least. I did run a system file check ("sfc /scannow" from the Windows shell)
after finally getting this thing cleaned out as insurance. The computer I was
working on was a 32 bit XP install, but this also infects 64 bit systems supposedly.
ESET's got a whitepaper out on the rootkit and how it works. It apparently
disguises itself as hardware.
And here's another white paper from Kaspersky's techs: