TDL4 Rootkit – New Variant manipulates Windows kernel vulnerability CVE-2013-3660
The TDL4 rootkit is one of the most advanced malware attacks circulating and it can hide in a stealth like manner within the operating system. A new variant was can manipulate the new CVE-2013-3660 vulnerability. This leads to access of the Windows kernel and capability to bypass detection by almost all anti-virus products and security defenses.
QUOTE: Kernel mode rootkits are more viable than has been realized and could be used to bypass more or less any security product in existence. Researchers at Bromium discovered this after conducting a proof-of-concept attack using a modified variant of in the infamous TDL4 malware. Due to be presented in more detail by the firm at this week’s Security BSides event in London, the research involved ‘tweaking’ the TDL4 variant that had appeared to take advantage of the Windows kernel privilege zero day (CVE-2013-3660), discovered in June last year. With a new payload, what this created was something lethal enough to overcome a variety of security layers the team tested against it such as antivirus, sandboxes and intrusion prevention, making it a sort of “Swiss Army knife” attack hiding behind ring zero.