TDL3 : The rootkit of all evil

Jump to navigation Jump to search

(Publication) Google search: [1]

TDL3 : The rootkit of all evil
Botnet TDSS
Malware TDL-3 (bot)
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
CCProtocol HTTP
Date 2010 /
Editor/Conference ESET
Link (Archive copy)
Author Aleksandr Matrosov, Eugene Rodionov


Not so long ago one of our clients asked us to analyze a set of TDSS droppers and to locate the

source of the threat. During our investigation we found evidence of the complicity of one of the wellknown cybercrime groups in distributing those rootkits. The droppers were distributed using a Pay‐Per‐ Install (PPI) scheme well‐known and growing increasingly popular among cybercrime groups . The PPI scheme is similar to those used for distributing toolbars for the browsers. For instance, if you are a partner of Google and distribute its toolbars then you have a special build with an embedded identifier which allows for calculating the number of your installations and therefore your revenue. The same approach is used for distributing the rootkits: information about the distributor is embedded into the executable and there are special servers used to calculate the number of installations.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2010BFR890,
   editor = {ESET},
   author = {Aleksandr Matrosov, Eugene Rodionov},
   title = {TDL3 : The rootkit of all evil},
   date = {23},
   month = Feb,
   year = {2010},
   howpublished = {\url{}},