TDL3 rootkit is causing BSOD in 17-year old MS bug patch!

Discussion in 'malware problems & news' started by erikloman, Feb 12, 2010.

Thread Status:
Not open for further replies.
  1. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    Microsoft today pulled its MS10-015 patch for the 17-year old bug after reports of BSODs caused by the patch.

    It turns out that the TDL3 rootkit infection is related to the BSOD. See here.

    PCs that are infected with the rootkit and run the patch (served by Windows Update) become unbootable!

    The number of affected PCs tells us something about how widely spread the TDL3 rootkit is.

    Statistics from our Scan Cloud:
    Since November 30, Hitman Pro removed TDL3 infections from over 16.000 computers.
    Interesting detail: 74.8% of those PCs were running an up-to-date AV.

    That tells us how good this rootkit is in staying undetected or how difficult it is to remove this infection. TDL3 infects the hard disk driver (usually atapi.sys) and once loaded it serves the OS the uninfected driver, fooling most AVs as they see nothing wrong with the driver.

    Some AV vendors have a private removal tool but they won't release it to the public since they are afraid that the TDL3 authors are counteracting their tool. Since TDL3 was first found in October 2009, TDL3 has changed several times, each time improving its armor.

    Currently only public Hitman Pro 3.5 is able to remove all current TDL3 variants (up to TDL3.241). But it is only a matter of time before the TDL3 authors change their armor.

    Combofix can also be used if your hard disk driver is atapi.sys. If you have a different driver, like iastor.sys from Intel or one of the list from below then you can't use Combofix.

    Below the list of drivers where Hitman Pro found and removed TDL3:

    atapi.sys
    iaStor.sys
    nvstor32.sys
    nvata.sys
    nvstor.sys
    nvgts.sys
    nvatabus.sys
    iaStorV.sys
    ahcix86s.sys
    viamraid.sys
    lsi_scsi.sys
    vmscsi.sys
    IdeChnDr.sys
    jraid.sys
    si3112r.sys
    lsi_sas.sys
    ahcix86.sys
    si3112.sys
    viasraid.sys
    nvrd32.sys
    fasttx2k.sys
    nvraid.sys
    SiSRaid.sys
    adpu160m.sys
    nvidesm.sys
    UlSata.sys
    Si3114r5.sys
    vsmraid.sys
    iteraid.sys
    ftsata2.sys
    adpu320.sys
    iteatapi.sys
    Fasttrak.sys

    Sadly, the computers that no longer boot after MS10-015 patch can now only be helped with a boot CD.

    This situation again stresses that you need a second opinion scanner as your AV might have missed something. In case of TDL3 a chance of 74.8%.

    The detection and removal is all done by Hitman Pro while the identification of the threats is done in the cloud by 7 AVs from our 5 partners: Prevx, G Data, Eset, Avira and a-squared.

    Note that while these partners have signatures for the constant changing TDL3 rootkit, they are all currently unable to find the rootkit while its stealth is active. So far Hitman Pro has no problems in detecting it. But TDL3 authors are constant improving their armor ...

    Finally, a sign of TDL3 infection is when you're browsing the web and you are frequently redirected to websites you didn't expect to go to. TDL3 modifies DNS query results. See also here.

    _________________

    Info about MS10-015 rootkit issues here: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1381423,00.html

    Technical info about TDL3 can be read here: http://rootbiez.blogspot.com/2009/11/rootkit-tdl3-why-so-serious-lets-put.html

    Press release on TDL3 removal here: http://www.surfright.nl/en/home/press/hitman-pro-35-removes-tdl3-rootkit
     
    Last edited: Feb 12, 2010
  2. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    :thumb: :-*
     
  3. dlimanov

    dlimanov Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    204
    Last edited: Feb 12, 2010
  4. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    I have made a video of the TDL3 rootkit + MS10-015 patch that results in an unbootable computer.

    You can view the YouTube video here.
     
  5. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    Thanks for posting and sharing the video.
     
  6. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    So, do we trust in av?

    erik pmed you know where
     
  7. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    As Meriadoc said in this post ...

    TDL3 authors have updated their rootkit to version 3.25 which solves the rootkit's incompatibility with the MS10-015 patch.

    This shows that TDL3 authors are on it and show their level of professionalism.

    I have made another movie to illustrate that the MS10-015 is no longer a problem for TDL3.

    You can view the movie here:
    http://www.youtube.com/watch?v=Jbw2d2JqLNs

    Also, Microsoft have started pushing out the MS10-015 patch again so TDL3 is just in time ;)
     
  8. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    Yes, it's certainly nice of the tdl developers to be so caring. ;)
     
  9. dlimanov

    dlimanov Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    204
    Hi Erik,
    Good job! Quick question about the video: what happened to 34.tmp file that was detected during original scan? It didn't show up on a second scan after reboot, did trojan itself clean it up on restart?
    Thanks!
     
  10. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    Microsoft could have done that on purpose :D to force those infected users to reformat. I am betting that at least 50% of them will say "my computer has crashed", I need to get a new one.. and they will go out and buy a Win7 64-bit PC. Problem solved.

    Good job Microsoft
     
  11. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Triple Helix

    Good link, thanks. Nice of them to care :D not about us though, only trying to make sure they get their crap installed :D
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Does anyone know from experience how this TDL3 rootkit gets installed?

    Most of the articles talk about what it does once installed, but nothing about the method of delivery.

    Thanks,

    -rich
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Rmus

    Hi apart from any other ways, it seems like it's the usual methods of tricking unwary/unprotected users into clicking and running Rogue AV's :(

    Rogues http://www.bleepingcomputer.com/virus-removal

    Fake AV - Internet Antivirus Pro http://forum.sysinternals.com/forum_posts.asp?TID=21935

    Rootkit TDL 3 http://forum.sysinternals.com/forum_posts.asp?TID=21266&PN=1

    Rootkit 4DW4R3 http://forum.sysinternals.com/forum_posts.asp?TID=21838

    Info http://rootbiez.blogspot.com/2009/11/rootkit-tdl3-why-so-serious-lets-put.html
     
  15. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
  16. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    The rootkit indeed cleans up after itself. Leave no trace after boot ;)
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for the articles - I see it does use the same old tricks!

    I've seen this article, but it doesn't say anything about delivery methods, unless I missed something.


    ----
    rich
     
  18. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    TDL3+ is heavily pushed at sharing sites bundled up in anticipated popular applications.

    keygen, crack and serial sites when scrutinised are usually connected and have the exact same content lists.

    Rouge scan pages that download a scanner.

    False porn sites that get you to download 'adobeflashplayer' to view porn.
     
    Last edited: Feb 16, 2010
  19. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Yes, the usual, social engineering, drive by downloads, etc.
    Zero day flaws from the usual suspects, Internet explorer and Adobe flash and reader?
    And most probably in cracks and rogues.
     
    Last edited: Feb 16, 2010
  20. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Hi Rich,

    sorry if I quote myself from the blog post :oops:

    http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html

    I hope this helps :) If you have any other question, don't hesitate to ask.

    Cheers,

    Marco
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks, Marco for the link to your very informative blog! So, this trojan, while sneaky in its attempts to avoid detection/removal, installs by the same tried and true methods.

    In addition to what you reported then, others recently have noted web-based attacks by remote code execution. Are you aware of specific exploits, such as those that target IE6; PDF or SWF files, etc?

    In any case, prevention against those types of exploits has many solutions. I have this in my notes from one of your previous blogs that mentions prevention:

    Learning from Rustock rootkit
    http://www.prevx.com/blog/116/Learning-from-Rustock-rootkit.html
    Your bolding. Again, prevention today against remote code execution attacks has so many solutions, that the social engineering attacks seem to be more successful.

    Protecting against this method is more problematical, because of the tendency to download the kind of stuff you refer to. Only if the victim has a product that could detect the malware, would she/he be protected. I suppose that is what most people who download such stuff hope for. I notice comments in hijack forums, like: "But my AV was up to date."

    I noted especially this in your blog,

    because a few weeks ago, I saw a comment on another forum by a MAC user that the TDss couldn't affect him/her. The usual windows-bashing ensued, and it reminded me of an old exploit against MAC from a couple of years ago. I dug this out of my notes last week for another thread:

    DNS changer Trojan for Mac (!) in the wild
    http://isc.sans.org/diary.html?storyid=3595
    Bojan was nice, and didn't point out which types of sites ususally have this type of video exploit.

    Well, thanks to all of the good information in this thread, I see that this sneaky trojan can be prevented by the usual methods one would employ against both the remote code execution exploit, and the social engineering exploit.

    For all of the sophistication of today's malware, the delivery mechanisms for the dropper haven't changed much!

    regards,

    -rich
     
  22. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    We haven't find any exploit dropping TDL3 rootkit

    Actually it's totally true:)
     
  23. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  24. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    TDL3 update fixed issue :D

    tdlcmd.dll updated , TDL at version 3.26
     
    Last edited: Feb 19, 2010
  25. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    thats all well and nice, but im seeing a bit of an over-reaction. :blink:
     
Loading...
Thread Status:
Not open for further replies.