Security Protection – Harry Waldron MVP Rotating Header Image

TDL Rootkit – New variant uses Google Chrome application framework for control

This new variant uses Google Chrome application framework for control, replacing legitimate library components with those controlled by the rootkit itself  

http://www.symantec.com/connect/blogs/new-tidserv-variant-downloads-50-mb-chromium-embedded-framework

QUOTE:  Tidserv (a.k.a. TDL) is a complex threat that employs rootkit functionality in an attempt to evade detection. The malware continues to be on the Symantec radar since its discovery back in 2008. The latest variant of Tidserv being distributed in the wild has began to employ the legitimate Chromium Embedded Framework (CEF). While this may not be the first time a malware has made use of a legitimate framework for nefarious purposes, this new Tidserv variant requires the download of the 50 MB framework to function correctly, which is an unusual thing for a threat to do.  The CEF provides a Web browser control based on the Google Chromium project. This allows developers to build applications that include Web browser windows. The CEF libraries perform all of the functionality required to run the browser, such as parsing HTML or parsing and executing JavaScript.

Comments are closed.