English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

TDL4 Starts Using 0-Day Vulnerability!

Sergey Golovanov
Kaspersky Lab Expert
Posted December 07, 12:45  GMT
Tags: Botnets, Sinowal, Stuxnet
0.4
 

In early December, Kaspersky Lab experts detected samples of the malicious program TDL4 (a new modification of TDSS) which uses a 0-day vulnerability for privilege escalation under Windows 7/2008 x86/x64 (Windows Task Scheduler Privilege Escalation, CVE: 2010-3888). The use of this vulnerability was originally detected when analyzing Stuxnet.

Using an exploit for this vulnerability allows the rootkit TDL4 to install itself on the system without any notification from the UAC security tools. UAC is enabled by default in all the latest versions of Windows.

After the Trojan launches in the system, e.g. in Windows 7, its process receives the filtered token (UAC in operation) with the regular user privileges. An attempt to inject into the print spooler process terminates with an error (ERROR_ACCESS_DENIED).

 

Error occurs when TDL4 attempts to intrude into print spooler process.

Earlier modifications of this malicious program also try to penetrate the print spooler process. New modifications, however, attempt to use the 0-day exploit to escalate its privileges up to LocalSystem level.

 

A dedicated task is created for task planner

Interestingly, the rootkit’s installer has a dedicated code allowing it to bypass some proactive protection tools. Some proactive protection tools hook the function NtConnectPort in SSDT to prevent TDL4 from injecting into spoolsv; if the port name is "\RPC Control\spoolss", they return a notification stating that there was an attempt to penetrate the print spooler process. The creators of TDL4 came up with a simple “solution” to this problem: they hook ntdll.ZwConnectPort in the TDL4 process and check the value of the parameter ServerPortName sent to the function (a UNICODE string); if it is "\RPC Control\spoolss", they replace it with an analogous one containing a symbolic link to the root directory of the object manager namespace.

 

The code that counteracts proactive security technologies.

TDSS has once again reaffirmed its status as one of the most complex and dangerous malicious programs there is.

PS. A huge ‘thank you’ to Vasily Berdnikov (Vaber) for helping prepare the material for this blog.


11 comments

Oldest first
Threaded view
 

palaniyappan

2010 Dec 08, 08:57
1
 

Interesting

Thanks ..

Reply    

Sergey Golovanov

2010 Dec 08, 18:29
1
 

Re: Interesting

Your welcome!)

Reply    

Gigi

2010 Dec 09, 08:13
0
 

Rogue installer

Hi!
Does TLD4 comes in PCs as a rogue like HDD Defragmenter?

Reply    

Sergey Golovanov

2010 Dec 09, 15:08
-1
 

Re: Rogue installer

Yes it does and it is just a one way of doing that. More info here http://www.securelist.com/en/analysis/204792131/TDSS#6

Reply    

Gigi

2010 Dec 09, 18:25
0
 

TDSS Killer

Just one more thing:
I see that TDSS Killer was updated on 2010 Dec 03 08:20. Can it disinfect TDL4 as well?
I need to know because want to publish the removal method on my blog.

Reply    

Drew

2010 Dec 09, 20:20
0
 

Re: TDSS Killer

I would like to know this as well.

Reply    

Sergey Golovanov

2010 Dec 10, 00:50
0
 

Re: TDSS Killer

> Can it disinfect TDL4 as well?
Yes

Reply    

Jimi

2011 Jul 07, 19:29
0
 

Re: TDSS Killer

What's you blog

Reply    

Gigi

2010 Dec 10, 10:56
0
 

Thanks

Thanks.

Reply    

Andrew from Vancouver

2010 Dec 12, 10:59
0
 

the same or different?

Sergey, five days after your initial blog entry, Mike Reavey blogged about the forthcoming Patch Tuesday http://blogs.technet.com/b/msrc/archive/2010/12/09/december-2010-advance-notification-service-is-released.aspx and noted that Microsoft is patching the last zero-day used by Stuxnet. The relevant part to your entry is where he says:

"First, we will be closing the last Stuxnet-related issues this month. This is a local Elevation of Privilege vulnerability and we've seen no evidence of its use in active exploits aside from the Stuxnet malware."

So... do you know if he and you are writing about the same exploit?

Reply    

Sergey Golovanov

2010 Dec 20, 18:53
0
 

Re: the same or different?

We were writing about same exploit http://www.microsoft.com/technet/security/bulletin/ms10-092.mspx I'm sure because I'm in "Acknowledgments" list)

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog