Microsoft announced on the SBS team blog a few days ago that SBS 2011 has been released to manufacturing. This is good news. We can expect to purchase the software early next year. I’ve been playing with SBS 7 for a while now, and it’s good to have the Server 2008 R2 and Exchange 2010 features at our disposal. It’s fairly stable for a Beta, and I haven’t had any major issues so far. You can read about these news here.
Since Monday, we’ve repaired and cleaned about 6 computers infected with rogue antivirus software. They all were infected with the TDSS rootkit. The TDSS rootkit family is one of the most sophisticated rootkits circulating at this time. It first appeared in 2008, and it’s been improving since then. The creators are constantly patching, changing, and improving the rootkit to keep up with antivirus companies. The latest version of the rootkit – called TDL4 – was discovered earlier this month and takes advantage of a 0 day vulnerability on the Microsoft Windows Operating system to escalate privileges. Kaspersky Lab published an article about it that you can read here.
From the article:
In early December, Kaspersky Lab experts detected samples of the malicious program TDL4 (a new modification of TDSS) which uses a 0-day vulnerability for privilege escalation under Windows 7/2008 x86/x64 (Windows Task Scheduler Privilege Escalation, CVE: 2010-3888). The use of this vulnerability was originally detected when analyzing Stuxnet.
Using an exploit for this vulnerability allows the rootkit TDL4 to install itself on the system without any notification from the UAC security tools. UAC is enabled by default in all the latest versions of Windows. After the Trojan launches in the system, e.g. in Windows 7, its process receives the filtered token (UAC in operation) with the regular user privileges. [...] Interestingly, the rootkit’s installer has a dedicated code allowing it to bypass some proactive protection tools. Some proactive protection tools hook the function NtConnectPort in SSDT to prevent TDL4 from injecting into spoolsv; if the port name is “\RPC Control\spoolss”, they return a notification stating that there was an attempt to penetrate the print spooler process. The creators of TDL4 came up with a simple “solution” to this problem: they hook ntdll.ZwConnectPort in the TDL4 process and check the value of the parameter ServerPortName sent to the function (a UNICODE string); if it is “\RPC Control\spoolss”, they replace it with an analogous one containing a symbolic link to the root directory of the object manager namespace.
TDSS has once again reaffirmed its status as one of the most complex and dangerous malicious programs there is.
You can also read a thorough analysis of this threat here.
TDSS is a tough one to get rid of, but it’s not impossible. Kaspersky Lab has a utility called TDSSKiller. Run the utility following the instructions on the page, and you’ll more than likely be able to rid your computer from this rootkit. At the time of this writing, their tool is able to remove the most recent version of TDSS.
I use a slightly different technique to get rid of most TDSS infections. I pull the hard-drive out of the computer and attach it to a VM running an up to date Version of Kaspersky. I scan the hard-drive and remove any infection found. This usually removes the infected files and any traces of the rootkit. I then install the hard-drive back on the computer, turn it on, and run some scans with other antimalware tools to get rid of any other infections. I usually use tools like Malwarebytes, Super Anti Spyware, and an up to date, reputable, antivirus. I do some other things and run some other tools to get rid of any traces of the infection. Explaining exactly how I clean an infected computer is out of the scope of this post though. Every infection is a bit different, and some special considerations need to be taken. If you need help just email me. A good source to learn about disinfecting computers is the Bleeping Computer site or the Major Geeks Malware Removal Forum.
That’s it for today. Until next time.