The Case of Trojan Downloader "TDL3TDL3"

Current trends in the Threat Landscape dictate that a malware's functionality grow in number, perform more stealthily and increase in complexity. This continuous evolution is a known fact in the industry as Operating Systems improve and Network security tightens.

Naturally, a malware analyst who regularly encounters a malware family will be able to observe the changes between an old variant and a new one, and so note the increase and changes in behaviors. Commonly observed changes seen in more recent malwares are: the addition of code polymorphism, implementation of process hooks and injections; experimentation with new ways to gain privilege escalation; and using rootkit functionalities.

There are however some malware that go a step further. In early 2008, a first-of-its-kind malware was seen.

Mebroot (http://www.f-secure.com/weblog/archives/vb2008_kasslin_florio.pdf), which incorporated some of the most advanced techniques seen in a malware. The aspect with the greatest potential for impacting the threat landscape is the underlying concept the Mebroot malware family represents; a framework or foundation, which we may call a Malware Operating System (in reference to a MaOS text string found in the malware).

TDL3, so named by the malware authors themselves, adopts some characteristics of Mebroot malware family in terms of disk infection and surviving reboot operations. Although it does not rank as the most complicated malware seen, TDL3's distinctive features stealthy infection mechanisms and tricky removal - should not be overlooked. Moreover, TDL3 is just a framework for further system compromise.

In few simple words, TDL3 is a "Means to an End".