TDL4 Infection Update Win32/Olmasco MAXSS Pihar


TDSS/TDL4 has been a resilient and common rootkit used to infect computers, installing botkits, fake antivirus, and browser redirects. Just as it appeared development of the rootkit had stalled, some new variants have been appearing. Many antivirus programs are not detecting these new variants. They are detected by ESET as Win32/Olmasco, and BitDefender as MAXSS or Pihar. If not detected by antivirus, the most common symptoms are browser redirects and multiple Internet Explorer processes not started by the user that will respawn when terminated.

These variants have begun appearing in our malware removal forums. For example here and here. Due to changes in how they operate, these new variants require some new techniques to remove. Previously the MBR (Master Boot Record) was overwritten. The new version leaves the MBR untouched, but creates a hidden partition and marks it as boot. This means tools and techniques that scan the MBR for changes, or rewrite the MBR will no longer work, and may result in an unbootable system. Newer techniques and tools for removal are still being developed, but mostly involve booting offline, using a live Linux CD like gparted.

The recent changes lead some to suspect that the TDL4 code has been released on the black market. This not only opens the door to new variants, but also the possibility that a TDL5 may be on the horizon.

Windows 8 will have a feature when installed on many new systems known as UEFI secure boot that in theory removes much of the threat of rootkits. It runs a number of security checks, including digital signatures to prevent malicious boot code. However, it may have already been defeated. Well before the release of Windows 8.

As always, if you suspect your system has a malware infection, please start with our Malware and Spyware Cleaning Guide.