Security Response

A Master Boot Record (MBR) is an area of the hard disk (usually the first sector) used by a computer to perform start up operations. It is one of the first things to be read and executed by the computer hardware when a computer is powered on, even before the operating system itself. As far as trying to get access to the hardware first, you can’t really beat the MBR for that, with the exception of hardware ROM (BIOS) itself.

MBR infections offer great scope for deep infection and control of computers, which makes the idea attractive to malware creators. Contemporary MBR infection methods are a fairly complex affair and are not an undertaking that can be performed by many malware creators except for more highly skilled individuals. This is probably one reason why after the creators of Trojan.Mebroot rediscovered the...

On April 12, 2011, KB2506014 was released to address a vulnerability affecting Windows Vista and later operating systems running on the AMD64 platform. Malware was exploiting the vulnerability to load unsigned drivers and stay resident in kernel mode.

Backdoor.Tidserv (a.k.a. TDL4) is one such threat that is patching operating systems’ loader files on-the-fly in order to ensure that its advanced rootkit capabilities work. As may be expected, Tidserv attempted to work around the KB2506014 patch, as noted in the following code snippets taken from the ldr16 entry of the threat’s encrypted file system:

 
Here, the hooked int13 (the 16-bit disk operations interrupt) attempts to identify the moment when the operating...

In this blog we continue our analysis of the recently discovered Tidserv variant that is capable of infecting 64-bit Windows operating systems. While we gave a quick overview of the threat yesterday, today we’re going to talk more about how Tidserv installs itself on 32- and 64-bit operating systems.

While Backdoor.Tidserv.L arrives as a 32-bit Windows executable, it checks if it's running under a 32- or 64-bit version of Windows and chooses an architecture-specific method of installing itself. If it finds that it’s running on a 32-bit system, it uses the same method as older Tidserv variants to gain necessary privileges—by executing itself in the Print Spooler service. Next, it drops a 32-bit version of the malicious kernel driver and loads it into the Windows kernel. Once the driver is loaded, it infects the Master Boot Record (MBR) with a malicious version.

It then...

Backdoor.Tidserv first came to light in back in 2008 as a Trojan that uses an advanced rootkit to hide itself. Since then, Symantec has seen many changes to Tidserv and we have documented a number of the changes in our blog postings. Yesterday, Symantec came across a new sample of Tidserv that we have broken out detection for as Backdoor.Tidserv.L and Boot.Tidserv.

This new variant of Tidserv is of interest for two main reasons. First, we are now seeing Tidserv inject user-mode code into Windows 64-bit driver processes found in the likes of 64-bit Windows versions. Previously, Tidserv targeted only 32-bit operating systems. Although this is not the first virus to inject code into 64-bit processes, it is still a relatively new venture for virus writers. It also demonstrates how the creators of Tidserv are...