Select Page

In the blizzard of patches, which has been well covered elsewhere, it’s worth noting one extra thing.

Last November, we blogged about how the TDL4 rootkit gets around driver signing:

The TDL4 rootkit bypasses driver signing policy on 64-bit machines by changing the boot options of Microsoft boot programs that will allow an unsigned driver to load.

The boot option is changed in memory from the code executed by infected MBR. The boot option configures value of a config setting named ‘LoadIntegrityCheckPolicy’ that determines the level of validation on boot programs. The rootkit changes this config setting value to a low level of validation that effectively allows loading of an unsigned malicious rootkit dll file. The rootkit dll is kdcom.dll, which is an infected version normal kdcom.dll that ships with Windows.

The rootkit also disables debuggers by NOP’ing debugger activation functions as described below. This makes reverse engineering this rookit very difficult! The KdDebuggerInitialize1 (see below) function in infected kdcom.dll called during normal execution of the system installs the rootkit, which hooks the IRP dispatch functions of miniport driver below the disk to hide its malicious MBR.

It appears that at least part of this vulnerability has been patched. From the Technet blog:

The second advisory, KB 2506014, hardens Windows against kernel-mode rootkits. This specifically breaks the hiding mechanism used by the current Alureon/TDL4 rootkit family. It is an update available on WU and WSUS, pushed out automatically to customers who have opt-in to Automatic Updates.

Alex Eckelberry
(Thanks Chandra)