Check Point Advisories

Rootkit: TDLv4

Vulnerability
Protection

Check Point Reference:	CPAI-2011-323
Date Published:	4 Jul 2011
Severity:	Critical
Last Updated:	Wednesday 29 April, 2015
Source:
Protection Provided by:	Security Gateway R81, R80, R77, R75, R71, R70
Who is Vulnerable?
Vulnerability Description	TDL-4 is the fourth generation of the TDL botnet, originated in 2008. The TDL-4 botnet could be used to send out spam, steal individuals data or used for malicious attacks. TDL-4 features an improved algorithm that encrypts communications between infected computers and the botnet's C&C. TDL-4 also uses a sophisticated communications method which utilizes peer to peer file sharing networks to deliver commands to infected computers that are a part of the botnet. TDL-4 is installed by the TDSS is a trojan virus. TDL-4 is installed as a bootkit outside of the operating system, making it hard to detect. TDL-4 uses advanced encryption and public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers. TDL-4 infects the Master Boot Record (MBR) which enables it to load before the operating system, right at the beginning of the computerâs boot-up sequence.

Protection Overview

This protection detect and blocks malicious HTTP request to download the trojan virus.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70

In the IPS tab, click Protections and find the Rootkit: TDLv4 protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: Malware Traffic.
Attack Information: Rootkit: TDLv4