I carry out a routine check to see whether the user mode component also hooks into the Windows API. The
!chkimg command checks the current library functions against the Microsoft Symbol Server and is able to detect this kind of hook with a high degree of reliability. In checking the system libraries ntdll.dll and mswsock.dll, it reports an error which is almost certainly down to hooks. That's enough for now, I don't need to look into this any further.
Taken together, the facts of the case are enough for me to confirm, by Googling the file name and key WinDbg output, that we are indeed looking at the latest addition to the TDL rootkit family. The TDL4 rootkit is currently the only piece of malware which is able to infect the 64-bit version of the Windows 7 kernel.
In 64-bit Windows, Patchguard is meant to prevent drivers which do not have a valid signature from being loaded into the kernel. TDL4 therefore disables this feature by making the system think that it is booting into the WinPE system restore mode – in which Patchguard is disabled – early in the boot process.
Once the system has decided that it should boot without loading Patchguard, the rootkit turns WinPE mode back off and the system continues booting the normal version of Windows – but with no Patchguard. Because of this trickery, TDL is often referred to as a bootkit. The whole process takes place invisibly in the background, so that the user has no opportunity to notice that something is wrong. Indeed Microsoft felt compelled to patch the 64-bit Windows bootloader as part of its April patch day.
During my research, I stumble upon a useful tool for dumping individual rootkit files from TDL4's file system. The program, called icatcher.exe, merely requires the path to the TDL4 file system, which I have of course already extracted from the active cmd.dll. icatcher finds and saves 10 files, all with familiar names, in the folder c:\TDL_Files. I copy these files to a USB flash drive so I can take a closer look at them when I have a few minutes to spare. I'm sure they're going to yield up some interesting details.
Now all I need to do is remove the malware code. I've found a tool for the purpose online – it goes by the name of aswMBR.exe, and is from Avast. Its "scan" function detects a TDL4 infection and its "fix" function claims to have removed it. When I restart the system, all symptoms of infection have indeed vanished – it looks like we're in the clear.
As I turn round to give Hans a dressing down on the dangers posed by illegal hacked software, he's standing there beaming at me with an armful of barbecued delicacies – I was so engrossed in analysing his computer that I didn't even notice that he had popped out to the butcher. After all my hard work, I'm sure it's going to taste twice as good!
In our "Crime Scene Investigation:Internet" series, experts examine suspicious files using every trick in the book. Watch over their shoulders as they track down malware – because all this really could have happened. All the malware samples shown in CSI:Internet have been used in real attacks and have been analysed using methods including those described. The accompanying narratives are inspired by real incidents, and only the names of those involved have been invented.
The expert for this series two episode three is Frank Boldewin, an IT security architect at GAD eG in Münster, Germany. In his scarce spare time, he analyses new rootkit and trojan techniques and publishes tools and white papers on these issues on his web site reconstructer.org.
The second series of "CSI:Internet" was originally published in c't magazine starting with issue 15/2011. For links to articles in the first series please refer to our CSI:Internet HQ - Series 1 page.