TDL4 rootkit copies Stuxnet, targets Windows users

Discussion in 'malware problems & news' started by trismegistos, Dec 9, 2010.

Thread Status:
Not open for further replies.
  1. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    More from this site.... http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1524816,00.html
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hmm... a rather vague statement; are antivirus programs the only antimalware programs under consideration?

    The dropper, of course, needs to install before the rootkit can be launched. Checking a current remote code execution exploit from a malware domain list -- it is easily blocked by any number of white list solutions:

    tdss.gif

    Now, trick-to-click exploits are another matter, where only a blacklisting program that has a signature will alert the potential victim.

    Earlier this year, Marco of Prevx mentioned a few of the attack vectors where trick-to-click exploits are eagerly awaiting potential victims:

    The only thing "new" in the latest incarnation of this malware is the rootkit itself.

    Again, from the /searchsecurity article:

    But from a preventative point of view, nothing has changed. Too bad the article didn't discuss this, for the uninformed reader will be needlessly fearful.

    ----
    rich
     
    Last edited: Dec 10, 2010
  3. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    Beautifully said.

    If the gears in the machine won't turn because they're not allowed to, there's no need to worry about an impending disaster.
     
  4. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    TDL4 exploits Windows Task Scheduler flaw

    Full Story: http://www.prevx.com/blog/164/TDL-exploits-Windows-Task-Scheduler-flaw.html

    TH
     
    Last edited: Dec 12, 2010
  5. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    It's always nice in these situations to be able to beat something to the punch.
     
  6. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Not everyone is as security oriented as most are here and there are some happy clickers out there!

    TH
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Re: TDL4 exploits Windows Task Scheduler flaw

    For those who haven't delved into the details of exploit kits, here is a good summary from last May. Click on the first screenshot to expand the list of exploits used (as of May)

    An Overview of Exploit Packs
    http://blogs.mcafee.com/mcafee-labs/an-overview-of-exploit-packs

    As one writer noted, with such a broad array of exploits available in these kits, the average user, not aware of necessary security precautions (including updates), is prone to either a browser or 3rd party application exploit when led or redirected to one of these compromised sites.

    In my post above, the expoit was a Java vulnerability (the white square had the Java Logo until the security alert appeared) that triggered using IE6.

    It's amazing how the concept of a "business model" has evolved in the cybercriminal's world. Here is a good description from last year, when the Fragus Exploit Kit emerged on the scene. You get a good idea of how the cybercriminal can easily set up a Command and Control center for a botnet:

    Fragus. New botnet framework In-the-Wild
    http://evilfingers.blogspot.com/2009/08/fragus-new-botnet-framework-in-wild.html

    Marco mentions the current Task Scheduler 0-day vulnerability. Can a current or recent exploit become added quickly to exploit kits?

    Once the Kit software has been installed, it's very easy to add new exploit code as it becomes available on the internet, so researchers have noted the quick inclusion of current exploits, especially PDF exploits.

    Of course, for all of the intricacy and sensationalism of Exploit Kits, they depend on remote code execution (drive-by download) which, in all cases so far, attempt to install a binary executable file -- so easily prevented by many white list or execution prevention solutions today.

    The fact that these exploits continue to be so successful means that most people are not aware of these solutions. But that is a topic for another thread.

    ----
    rich
     
    Last edited: Dec 12, 2010
  8. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Quote EP_X0FF:
    KernelMode

    keygen_v.41.18.11.g.exe - 19/43 - Win32:Alureon-MT - MD5: 31db7a22df02e1a91db9afda4f02f3bf
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I have seen an interesting one, of which I do not know whether this is a variant of TDL4

    1. Flashmovie is started by user in browser (running LUA!)
    2. Dropper is downloaded when flashmovie plays
    3. Shell code egg trigger is hidden in flash movie
    4. At some time during flash movie, taskeng is accessed trying to take control over it (debug mode, why that passed UAC is a mistery to me)
    5. Taskscheduler adds a startup task
    6. Signed installer executes problably at next boot

    Regards Kees
     
    Last edited: Dec 15, 2010
  10. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi TDL4 regularly harvested over kernelmode.info. Look to description for the one you want.
     
  11. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Not surprising to me, it is a privilege escalation attack, the attack code is running in kernel mode bypassing UAC/LUA/ and potentially Sandboxie(default). It is obviously combined with a separate initial shellcode, the zero day remote code execution exploit to the flash player vulnerability in order to download and execute the dropper containing the shellcode for the subsequent local kernel exploit(Elevation of Privilege) to gain access.

    SRP/Applocker/HIPS/AE/Sandboxie's start-run restriction could possibly stop the dropper binary(kernel exploit) from running.

    If you have that malware that's a prized collection for testers. ;)
     
    Last edited: Dec 15, 2010
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    I like the fact Windows XP is not affected by this, har, har.
    The vulnerability in task scheduler that is ...
    Mrk
     
  13. Pandorian

    Pandorian Registered Member

    Joined:
    Sep 25, 2009
    Posts:
    11
    I thought that the task scheduler bug was resolved in the latest windows update? o_O
     
  14. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Yes it was, but I'm talking about all this hype ...
    Apparently, having an old OS merits unintended security points.
    Mrk
     
  15. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
  16. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    I never run things...scheduled, that is...;) XP is good, still.;)
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.