TDL3 rootkit is causing BSOD in 17-year old MS bug patch!

Microsoft today pulled its MS10-015 patch for the 17-year old bug after reports of BSODs caused by the patch.

It turns out that the TDL3 rootkit infection is related to the BSOD. See here.

PCs that are infected with the rootkit and run the patch (served by Windows Update) become unbootable!

The number of affected PCs tells us something about how widely spread the TDL3 rootkit is.

Statistics from our Scan Cloud:
Since November 30, Hitman Pro removed TDL3 infections from over 16.000 computers.
Interesting detail: 74.8% of those PCs were running an up-to-date AV.

That tells us how good this rootkit is in staying undetected or how difficult it is to remove this infection. TDL3 infects the hard disk driver (usually atapi.sys) and once loaded it serves the OS the uninfected driver, fooling most AVs as they see nothing wrong with the driver.

Some AV vendors have a private removal tool but they won't release it to the public since they are afraid that the TDL3 authors are counteracting their tool. Since TDL3 was first found in October 2009, TDL3 has changed several times, each time improving its armor.

Currently only public Hitman Pro 3.5 is able to remove all current TDL3 variants (up to TDL3.241). But it is only a matter of time before the TDL3 authors change their armor.

Combofix can also be used if your hard disk driver is atapi.sys. If you have a different driver, like iastor.sys from Intel or one of the list from below then you can't use Combofix.

Below the list of drivers where Hitman Pro found and removed TDL3:

atapi.sys
iaStor.sys
nvstor32.sys
nvata.sys
nvstor.sys
nvgts.sys
nvatabus.sys
iaStorV.sys
ahcix86s.sys
viamraid.sys
lsi_scsi.sys
vmscsi.sys
IdeChnDr.sys
jraid.sys
si3112r.sys
lsi_sas.sys
ahcix86.sys
si3112.sys
viasraid.sys
nvrd32.sys
fasttx2k.sys
nvraid.sys
SiSRaid.sys
adpu160m.sys
nvidesm.sys
UlSata.sys
Si3114r5.sys
vsmraid.sys
iteraid.sys
ftsata2.sys
adpu320.sys
iteatapi.sys
Fasttrak.sys

Sadly, the computers that no longer boot after MS10-015 patch can now only be helped with a boot CD.

This situation again stresses that you need a second opinion scanner as your AV might have missed something. In case of TDL3 a chance of 74.8%.

The detection and removal is all done by Hitman Pro while the identification of the threats is done in the cloud by 7 AVs from our 5 partners: Prevx, G Data, Eset, Avira and a-squared.

Note that while these partners have signatures for the constant changing TDL3 rootkit, they are all currently unable to find the rootkit while its stealth is active. So far Hitman Pro has no problems in detecting it. But TDL3 authors are constant improving their armor ...

Finally, a sign of TDL3 infection is when you're browsing the web and you are frequently redirected to websites you didn't expect to go to. TDL3 modifies DNS query results. See also here.

_________________

Info about MS10-015 rootkit issues here: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1381423,00.html

Technical info about TDL3 can be read here: http://rootbiez.blogspot.com/2009/11/rootkit-tdl3-why-so-serious-lets-put.html

Press release on TDL3 removal here: http://www.surfright.nl/en/home/press/hitman-pro-35-removes-tdl3-rootkit

 

+ like one million

Now also confirmed by Symantec:
https://www-secure.symantec.com/connect/blogs/tidserv-and-ms10-015

 

I have made a video of the TDL3 rootkit + MS10-015 patch that results in an unbootable computer.

You can view the YouTube video here.

 

Thanks for posting and sharing the video.

 

So, do we trust in av?

erik pmed you know where

 

As Meriadoc said in this post ...

TDL3 authors have updated their rootkit to version 3.25 which solves the rootkit's incompatibility with the MS10-015 patch.

This shows that TDL3 authors are on it and show their level of professionalism.

I have made another movie to illustrate that the MS10-015 is no longer a problem for TDL3.

You can view the movie here:
http://www.youtube.com/watch?v=Jbw2d2JqLNs

Also, Microsoft have started pushing out the MS10-015 patch again so TDL3 is just in time

 

Yes, it's certainly nice of the tdl developers to be so caring.

 

Hi Erik,
Good job! Quick question about the video: what happened to 34.tmp file that was detected during original scan? It didn't show up on a second scan after reboot, did trojan itself clean it up on restart?
Thanks!

 

Microsoft could have done that on purpose to force those infected users to reformat. I am betting that at least 50% of them will say "my computer has crashed", I need to get a new one.. and they will go out and buy a Win7 64-bit PC. Problem solved.

Good job Microsoft

 

http://www.prevx.com/blog/143/BSOD-after-MS-TDL-authors-apologize.html

 

@Triple Helix

Good link, thanks. Nice of them to care not about us though, only trying to make sure they get their crap installed

 

Does anyone know from experience how this TDL3 rootkit gets installed?

Most of the articles talk about what it does once installed, but nothing about the method of delivery.

Thanks,

-rich

 

@Rmus

Hi apart from any other ways, it seems like it's the usual methods of tricking unwary/unprotected users into clicking and running Rogue AV's

Rogues http://www.bleepingcomputer.com/virus-removal

Fake AV - Internet Antivirus Pro http://forum.sysinternals.com/forum_posts.asp?TID=21935

Rootkit TDL 3 http://forum.sysinternals.com/forum_posts.asp?TID=21266&PN=1

Rootkit 4DW4R3 http://forum.sysinternals.com/forum_posts.asp?TID=21838

Info http://rootbiez.blogspot.com/2009/11/rootkit-tdl3-why-so-serious-lets-put.html

 

Look here: http://rootbiez.blogspot.com/2009/11/rootkit-tdl3-why-so-serious-lets-put.html

 

The rootkit indeed cleans up after itself. Leave no trace after boot

 

Thanks for the articles - I see it does use the same old tricks!

I've seen this article, but it doesn't say anything about delivery methods, unless I missed something.


----
rich

 

TDL3+ is heavily pushed at sharing sites bundled up in anticipated popular applications.

keygen, crack and serial sites when scrutinised are usually connected and have the exact same content lists.

Rouge scan pages that download a scanner.

False porn sites that get you to download 'adobeflashplayer' to view porn.

 

Yes, the usual, social engineering, drive by downloads, etc.
Zero day flaws from the usual suspects, Internet explorer and Adobe flash and reader?
And most probably in cracks and rogues.

 

Hi Rich,

sorry if I quote myself from the blog post

http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html

I hope this helps If you have any other question, don't hesitate to ask.

Cheers,

Marco

 

Thanks, Marco for the link to your very informative blog! So, this trojan, while sneaky in its attempts to avoid detection/removal, installs by the same tried and true methods.

In addition to what you reported then, others recently have noted web-based attacks by remote code execution. Are you aware of specific exploits, such as those that target IE6; PDF or SWF files, etc?

In any case, prevention against those types of exploits has many solutions. I have this in my notes from one of your previous blogs that mentions prevention:

Learning from Rustock rootkit
http://www.prevx.com/blog/116/Learning-from-Rustock-rootkit.html

Your bolding. Again, prevention today against remote code execution attacks has so many solutions, that the social engineering attacks seem to be more successful.

Protecting against this method is more problematical, because of the tendency to download the kind of stuff you refer to. Only if the victim has a product that could detect the malware, would she/he be protected. I suppose that is what most people who download such stuff hope for. I notice comments in hijack forums, like: "But my AV was up to date."

I noted especially this in your blog,

because a few weeks ago, I saw a comment on another forum by a MAC user that the TDss couldn't affect him/her. The usual windows-bashing ensued, and it reminded me of an old exploit against MAC from a couple of years ago. I dug this out of my notes last week for another thread:

DNS changer Trojan for Mac (!) in the wild
http://isc.sans.org/diary.html?storyid=3595

Bojan was nice, and didn't point out which types of sites ususally have this type of video exploit.

Well, thanks to all of the good information in this thread, I see that this sneaky trojan can be prevented by the usual methods one would employ against both the remote code execution exploit, and the social engineering exploit.

For all of the sophistication of today's malware, the delivery mechanisms for the dropper haven't changed much!

regards,

-rich

 

We haven't find any exploit dropping TDL3 rootkit

Actually it's totally true

 

Update - Restart Issues After Installing MS10-015 and the Alureon Rootkit

See: http://blogs.technet.com/msrc/archi...talling-ms10-015-and-the-alureon-rootkit.aspx

 

TDL3 update fixed issue

tdlcmd.dll updated , TDL at version 3.26

 

thats all well and nice, but im seeing a bit of an over-reaction.