Tidserv 64-bit Goes Into Hiding

Backdoor.Tidserv first came to light in back in 2008 as a Trojan that uses an advanced rootkit to hide itself. Since then, Symantec has seen many changes to Tidserv and we have documented a number of the changes in our blog postings. Yesterday, Symantec came across a new sample of Tidserv that we have broken out detection for as Backdoor.Tidserv.L and Boot.Tidserv.
This new variant of Tidserv is of interest for two main reasons. First, we are now seeing Tidserv inject user-mode code into Windows 64-bit driver processes found in the likes of 64-bit Windows versions. Previously, Tidserv targeted only 32-bit operating systems. Although this is not the first virus to inject code into 64-bit processes, it is still a relatively new venture for virus writers. It also demonstrates how the creators of Tidserv are constantly evolving the threat to ensure the maximum infiltration of potential victim operating systems. Secondly, Tidserv is now infecting the Master Boot Record (MBR) of the compromised computer, allowing it to gain control before the operating system is loaded. The main Tidserv components are stored in unused space at the end of the hard drive in encrypted form. This makes it more difficult to detect and remove once a computer is infected. Below is an image of the infected disk:

Again, this is not the first (continue reading...)