TDSS/SafeSys Exploits in the Wild

Discussion in 'malware problems & news' started by Rmus, Jul 3, 2010.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    Why did she not have protection in place against the drive-by download exploit to block unauthorized executables?

    ----
    rich
     
  3. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Yeah, the mention of that vulnerability struck me as strange. But maybe the TDSS folks are using it for HIPS bypass. If the TDSS dropper is executed by an admin, it'll have enough privileges to screw with various kinds of system objects, and most HIPS products probably don't check for such a method of driver installation.
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    pg-dll.gif


    My REG

    reg.gif

    I wonder if the updated V2.0 patch changed something/s which in some way/s made it vulnerable again, but in an unforseen manner ? Plus it says The initial version of this bulletin provided a workaround not a fix !

    Here's my Known DLL's XP/SP2

    known.gif
     
  5. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,970
    Well my family accidentally ran into one of these Tdss/TDL3 samples yesterday and like always it downloaded a fake (which was blocked by the AV)

    A family member went to a blog to read an article, as soon as we got to the blog Java started to load and we were offered to download some com file which was titled Microsoft help and support center. We exited it thinking nothing happened and then left for a little bit. When we came back a The file is infected would you like to activate the antivirus message was on the machine. Well it locked us out of the machine till a family member ran Hitman PRO to clean it up.

    I do wonder if using Firefox would have blocked the drive by download (we did not click anything so I think it broke past IE)
     
  6. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    :) Leave it to HMP to deliver a kill shot
    It can be quite sophisticated often with an exploit kit scanning the visitor for known vulnerabilities in their browser, whether that is ie, firefox or other.

    This youtube video on BLADE -http://www.youtube.com/watch?v=9emHejh8hWE- is quite interesting and should give idea. There's quite a bit discussed on the forums on helping prevent drive-bys and their damage such as noscript, sandboxie, lua, drop my rights, hips, uac...
     
    Last edited by a moderator: Jul 8, 2010
  7. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Blade - Brought to us by the same company who developed Remote Viewing.
    And talk here since February, but no release. What's the hubbub, bub?

    Wait...I'm getting an image... of the website..."coming soon" gets replaced...with the words "release"... I'm getting a date associated with the event...September 10.

    Now we just wait and see if I were a good McMonagle student. :D

    Blade would be a good shot against malwares like TDSS. Limiting malware authors distribution options will make the malware fight somewhat easier.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    Based on what you write, it might be one of the current exploits against IE:

    Microsoft Security Advisory (2219475)
    Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution
    http://www.microsoft.com/technet/security/advisory/2219475.mspx

    This is scheduled to be patched next Patch Tuesday/13. Go to the link in this thread:

    Microsoft Security Bulletin Advance Notification for July 2010
    https://www.wilderssecurity.com/showpost.php?p=1709384&postcount=2

    Without seeing the blog page, one can only assume that it was a compromised page that redirected to the malicious site. Most sites these days, as Meriadoc points out, have exploit kits which first determine the browser. If Firefox or Opera, one exploit served up would be PDF. This is not an exploit against the browser; rather, it's against the PDF reader, and the browser is just the trigger point. Whether such an exploit succeeds depends on the script and plugin settings.

    ----
    rich
     
    Last edited: Jul 9, 2010
  9. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Have you actually tried initially executing TDSS/Safesys with ProcessGuard and did the latter block or prompt for driver loading, raw disk access, dll injections, or any other malware behaviour?
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    No i havn't :D because even though i'm trying out Shadow Defender, until it runs out in 27 days :( i don't want to risk it :p What to do after the 27 days is up ?

    Have you executed TDSS/TDL/Safesys etc, if so what were your experiences ?
     
  11. culla

    culla Registered Member

    Joined:
    Aug 15, 2005
    Posts:
    504
    i came across this fixing a mates laptop i used highjack this to remove it had to delete a couple of dll's it seems to be gone he had no antivirus i run a scan after installing mse all clean :D
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    I would be Very surprised if one of those RK's was eliminated with HJT. The fact that MSE detected nothing doesn't mean it's not still lurking in there.

    Run some specialist dedicated removal tools, and MBAM etc.
     
  13. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Though ProcessGuard have unbeatable AE features. I doubt it is capable of stopping TDSS/Safesys on their tracks. I would choose newer more featured HIPS to test those (particularly those with kernel driver loading controls, and usermode raw disk access).
     
  14. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    culla that is very lol :)

    @trismegistos
    Indeed ProcessGuard prevents TDL/TDSS and SafeSys execution and driver :) + any injection and termination.
     
    Last edited: Jul 10, 2010
  15. culla

    culla Registered Member

    Joined:
    Aug 15, 2005
    Posts:
    504
    lol yes i disabled all start up processes first run glary utilities ccleaner hjt he's using it now without problems :D
     
  16. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Perhaps it wasn't these infections.
     
  17. culla

    culla Registered Member

    Joined:
    Aug 15, 2005
    Posts:
    504
    i remember the safesys being there :D maybe different
     
  18. Moore

    Moore Registered Member

    Joined:
    Mar 14, 2004
    Posts:
    82
    Location:
    land of ?z
    This TDSS rootkit was found being distributed through Twitter.
    http://stopmalvertising.com/malware-reports/fake-tweetdeck-update-silently-installs-tdss.html

    At the end of the report you can see that of course ProcessGuard has no problems stopping the driver from being installed.
     
    Last edited: Nov 19, 2010
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @ Moore

    Thanks for the ProcessGuard etc link/info :) :thumb:
     
  20. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.