TDL is an advanced rootkit that is not detected by most anti-malware programs, and is used as a backdoor to install and update keyloggers and other types of malware.
Researchers say the TDL version 4 rootkit is able to bypass the enhanced security policy requiring system drivers to be signed in 64-bit versions of Windows.
The policy, called the kernel mode code signing policy, disallows any unauthorized or malicious driver to be loaded.
But, TDL4 is able to bypass this control by changing the boot options of Microsoft boot programs that will allow an unsigned driver to load, according to research published by GFI Software.
The boot option is changed in memory from the code executed by infected master boot record (MBR), wrote Chandra Prakash, technical fellow, GFI Labs.
"The boot option configures value of a config setting named 'LoadIntegrityCheckPolicy' that determines the level of validation on boot programs. The rootkit changes this config setting value to a low level of validation that effectively allows loading of an unsigned malicious rootkit dll file."
The rootkit also disables debuggers, which makes reverse engineering this rootkit very difficult, said Prakash.
This story was first published by Computer Weekly