Page 2 of 2
TDSS/TDL4 evades host-based detection and remediation through its ability to change master boot records and also through peer-to-peer communications. Therefore, Almer believes that the best defense is based on the Trusted Platform Module (TPM) chip, from which his company's product can extract information.
According to Wave Systems' Almer, the chip is based on standards of the trusted computing group, of which Wave Systems, as well as Microsoft, IBM, Dell, HP, Lenovo and a number of other companies, are members. The TPM chip works by storing signatures of a piece of software and cross-referencing those signatures to ensure they match during the booting process.
"The TPM stores the signatures of every piece of software on the machine, and the ones that are most important are the ones that are used early in the boot process before the antivirus initiates," Almer said. "But if we have the signature of the legitimate software in the TPM, we can determine if the actual software trying to boot matches that signature. We can then discover any changes in the BIOS or the MBR [master boot record]."
If the signatures don't match, or if changes are detected, there are several courses of action that can be taken, Almer said.
"At that point, we can do any number of things, based on configuration. We might prevent the machine from booting. We might allow it to boot but then send it to a specific area used for remediation. Or, potentially, we can recover a protected version of the MBR before the change and then compare that change to anything that the administrators have done and use the old version."
Almer added that an appropriate counterstrategy to TDSS/TDL4 is particularly important for financial institutions, healthcare organizations, government agencies or any vertical industries that store highly sensitive data.