TDSS/TDL4 has been a resilient and common rootkit used to infect computers, installing botkits, fake antivirus, and browser redirects. Just as it appeared development of the rootkit had stalled, some new variants have been appearing. Many antivirus programs are not detecting these new variants. They are detected by ESET as Win32/Olmasco, and BitDefender as MAXSS or Pihar. If not detected by antivirus, the most common symptoms are browser redirects and multiple Internet Explorer processes not started by the user that will respawn when terminated.

These variants have begun appearing in our malware removal forums. For example here and here. Due to changes in how they operate, these new variants require some new techniques to remove. Previously the MBR (Master Boot Record) was overwritten. The new version leaves the MBR untouched, but creates a hidden partition and marks it as boot. This means tools and techniques that scan the MBR for changes, or rewrite the MBR will no longer work, and may result in an unbootable system. Newer techniques and tools for removal are still being developed, but mostly involve booting offline, using a live Linux CD like gparted.

Read the rest of this entry »