TDSS/SafeSys Exploits in the Wild

You are right! I didn't read the article earlier, but I see it's

Microsoft Security Bulletin (MS99-006) Fix Available for Windows NT "KnownDLLs List" Vulnerability

Question for TrendMicro: What OS was it using for testing? Surely, that part of the exploit would fail on any OS since NT4?

----
rich

 

Why did she not have protection in place against the drive-by download exploit to block unauthorized executables?

----
rich

 

Yeah, the mention of that vulnerability struck me as strange. But maybe the TDSS folks are using it for HIPS bypass. If the TDSS dropper is executed by an admin, it'll have enough privileges to screw with various kinds of system objects, and most HIPS products probably don't check for such a method of driver installation.

 

My REG

I wonder if the updated V2.0 patch changed something/s which in some way/s made it vulnerable again, but in an unforseen manner ? Plus it says The initial version of this bulletin provided a workaround not a fix !

Here's my Known DLL's XP/SP2

 

Well my family accidentally ran into one of these Tdss/TDL3 samples yesterday and like always it downloaded a fake (which was blocked by the AV)

A family member went to a blog to read an article, as soon as we got to the blog Java started to load and we were offered to download some com file which was titled Microsoft help and support center. We exited it thinking nothing happened and then left for a little bit. When we came back a The file is infected would you like to activate the antivirus message was on the machine. Well it locked us out of the machine till a family member ran Hitman PRO to clean it up.

I do wonder if using Firefox would have blocked the drive by download (we did not click anything so I think it broke past IE)

 

Leave it to HMP to deliver a kill shot

It can be quite sophisticated often with an exploit kit scanning the visitor for known vulnerabilities in their browser, whether that is ie, firefox or other.

This youtube video on BLADE -http://www.youtube.com/watch?v=9emHejh8hWE- is quite interesting and should give idea. There's quite a bit discussed on the forums on helping prevent drive-bys and their damage such as noscript, sandboxie, lua, drop my rights, hips, uac...

 

Blade - Brought to us by the same company who developed Remote Viewing.
And talk here since February, but no release. What's the hubbub, bub?

Wait...I'm getting an image... of the website..."coming soon" gets replaced...with the words "release"... I'm getting a date associated with the event...September 10.

Now we just wait and see if I were a good McMonagle student.

Blade would be a good shot against malwares like TDSS. Limiting malware authors distribution options will make the malware fight somewhat easier.

 

Based on what you write, it might be one of the current exploits against IE:

Microsoft Security Advisory (2219475)
Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/2219475.mspx

This is scheduled to be patched next Patch Tuesday/13. Go to the link in this thread:

Microsoft Security Bulletin Advance Notification for July 2010
https://www.wilderssecurity.com/showpost.php?p=1709384&postcount=2

Without seeing the blog page, one can only assume that it was a compromised page that redirected to the malicious site. Most sites these days, as Meriadoc points out, have exploit kits which first determine the browser. If Firefox or Opera, one exploit served up would be PDF. This is not an exploit against the browser; rather, it's against the PDF reader, and the browser is just the trigger point. Whether such an exploit succeeds depends on the script and plugin settings.

----
rich

 

Have you actually tried initially executing TDSS/Safesys with ProcessGuard and did the latter block or prompt for driver loading, raw disk access, dll injections, or any other malware behaviour?

 

No i havn't because even though i'm trying out Shadow Defender, until it runs out in 27 days i don't want to risk it What to do after the 27 days is up ?

Have you executed TDSS/TDL/Safesys etc, if so what were your experiences ?

 

i came across this fixing a mates laptop i used highjack this to remove it had to delete a couple of dll's it seems to be gone he had no antivirus i run a scan after installing mse all clean

 

I would be Very surprised if one of those RK's was eliminated with HJT. The fact that MSE detected nothing doesn't mean it's not still lurking in there.

Run some specialist dedicated removal tools, and MBAM etc.

 

Though ProcessGuard have unbeatable AE features. I doubt it is capable of stopping TDSS/Safesys on their tracks. I would choose newer more featured HIPS to test those (particularly those with kernel driver loading controls, and usermode raw disk access).

 

culla that is very lol

@trismegistos
Indeed ProcessGuard prevents TDL/TDSS and SafeSys execution and driver + any injection and termination.

 

lol yes i disabled all start up processes first run glary utilities ccleaner hjt he's using it now without problems

 

Perhaps it wasn't these infections.

 

i remember the safesys being there maybe different

 

This TDSS rootkit was found being distributed through Twitter.
http://stopmalvertising.com/malware-reports/fake-tweetdeck-update-silently-installs-tdss.html

At the end of the report you can see that of course ProcessGuard has no problems stopping the driver from being installed.

 

@ Moore

Thanks for the ProcessGuard etc link/info

 

not sure if of interest, however fresh

https://www.wilderssecurity.com/showthread.php?p=1786580#post1786580