English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

TDL4 Starts Using 0-Day Vulnerability!

Sergey Golovanov
Kaspersky Lab Expert
Posted December 07, 12:45  GMT
Tags: Botnets, Sinowal, Stuxnet
0.4
 

In early December, Kaspersky Lab experts detected samples of the malicious program TDL4 (a new modification of TDSS) which uses a 0-day vulnerability for privilege escalation under Windows 7/2008 x86/x64 (Windows Task Scheduler Privilege Escalation, CVE: 2010-3888). The use of this vulnerability was originally detected when analyzing Stuxnet.

Using an exploit for this vulnerability allows the rootkit TDL4 to install itself on the system without any notification from the UAC security tools. UAC is enabled by default in all the latest versions of Windows.

After the Trojan launches in the system, e.g. in Windows 7, its process receives the filtered token (UAC in operation) with the regular user privileges. An attempt to inject into the print spooler process terminates with an error (ERROR_ACCESS_DENIED).

 

Error occurs when TDL4 attempts to intrude into print spooler process.

Earlier modifications of this malicious program also try to penetrate the print spooler process. New modifications, however, attempt to use the 0-day exploit to escalate its privileges up to LocalSystem level.

 

A dedicated task is created for task planner

Interestingly, the rootkit’s installer has a dedicated code allowing it to bypass some proactive protection tools. Some proactive protection tools hook the function NtConnectPort in SSDT to prevent TDL4 from injecting into spoolsv; if the port name is "\RPC Control\spoolss", they return a notification stating that there was an attempt to penetrate the print spooler process. The creators of TDL4 came up with a simple “solution” to this problem: they hook ntdll.ZwConnectPort in the TDL4 process and check the value of the parameter ServerPortName sent to the function (a UNICODE string); if it is "\RPC Control\spoolss", they replace it with an analogous one containing a symbolic link to the root directory of the object manager namespace.

 

The code that counteracts proactive security technologies.

TDSS has once again reaffirmed its status as one of the most complex and dangerous malicious programs there is.

PS. A huge ‘thank you’ to Vasily Berdnikov (Vaber) for helping prepare the material for this blog.


11 comments

Sergey Golovanov

2010 Dec 20, 18:53
0
 

Re: the same or different?

We were writing about same exploit http://www.microsoft.com/technet/security/bulletin/ms10-092.mspx I'm sure because I'm in "Acknowledgments" list)

If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog