Dec 09

TDSS Rootkit – TDL4 Version Uses Unpatched Windows Vulnerability.

Since Monday, we’ve repaired and cleaned about 6 computers infected with rogue antivirus software. They all were infected with the TDSS rootkit. The TDSS rootkit family is one of the most sophisticated rootkits circulating at this time. It first appeared in 2008, and it’s been improving since then. The creators are constantly patching, changing, and improving the rootkit to keep up with antivirus companies. The latest version of the rootkit – called TDL4 – was discovered earlier this month and takes advantage of a 0 day vulnerability on the Microsoft Windows Operating system to escalate privileges. Kaspersky Lab published an article about it that you can read here.

From the article:

In early December, Kaspersky Lab experts detected samples of the malicious program TDL4 (a new modification of TDSS) which uses a 0-day vulnerability for privilege escalation under Windows 7/2008 x86/x64 (Windows Task Scheduler Privilege Escalation, CVE: 2010-3888). The use of this vulnerability was originally detected when analyzing Stuxnet.

Using an exploit for this vulnerability allows the rootkit TDL4 to install itself on the system without any notification from the UAC security tools. UAC is enabled by default in all the latest versions of Windows. After the Trojan launches in the system, e.g. in Windows 7, its process receives the filtered token (UAC in operation) with the regular user privileges. [...] Interestingly, the rootkit’s installer has a dedicated code allowing it to bypass some proactive protection tools. Some proactive protection tools hook the function NtConnectPort in SSDT to prevent TDL4 from injecting into spoolsv; if the port name is “\RPC Control\spoolss”, they return a notification stating that there was an attempt to penetrate the print spooler process. The creators of TDL4 came up with a simple “solution” to this problem: they hook ntdll.ZwConnectPort in the TDL4 process and check the value of the parameter ServerPortName sent to the function (a UNICODE string); if it is “\RPC Control\spoolss”, they replace it with an analogous one containing a symbolic link to the root directory of the object manager namespace.

TDSS has once again reaffirmed its status as one of the most complex and dangerous malicious programs there is.

You can also read a thorough analysis of this threat here.

TDSS is a tough one to get rid of, but it’s not impossible.  Kaspersky Lab has a utility called TDSSKiller. Run the utility following the  instructions on the page, and you’ll more than likely be able to rid your computer from this rootkit. At the time of this writing, their tool is able to remove the most recent version of TDSS.

I use a slightly different technique to get rid of most TDSS infections. I pull the hard-drive out of the computer and attach it to a VM running an up to date Version of Kaspersky. I scan the hard-drive and remove any infection found. This usually removes the infected files and any traces of the rootkit. I then install the hard-drive back on the computer, turn it on, and run some scans with other antimalware tools to get rid of any other infections. I usually use tools like Malwarebytes, Super Anti Spyware, and an up to date, reputable, antivirus. I do some other things and run some other tools to get rid of any traces of the infection. Explaining  exactly how I clean an infected computer  is out of the scope of this post though. Every infection is a bit different, and some special considerations need to be taken. If you need help just email me. A good source to learn about disinfecting computers is the Bleeping Computer site or the Major Geeks Malware Removal Forum.

That’s it for today. Until next time.

In early December, Kaspersky Lab experts detected samples of the malicious program TDL4 (a new modification of TDSS) which uses a 0-day vulnerability for privilege escalation under Windows 7/2008 x86/x64 (Windows Task Scheduler Privilege Escalation, CVE: 2010-3888). The use of this vulnerability was originally detected when analyzing Stuxnet.
Share
Mar 09

New Vodafone HTC Magic phone contains malware – Mariposa botnet and Conficker.

It is interesting how many reputable companies these days are providing malware infected devices or software to their customers. They need to have a serious talk to whoever is in charge of doing QA at these places.

Vodafone now joins the list of vendors who provide malware free of charge to their customers. A Panda Labs Gal apparently received a new phone with malware installed in it. You can read more about it in the Panda Research Blog.

This just shows what I’ve been telling my customers all this time isn’t just me being paranoid. I always tell them that the first line of defense against computer attacks is them. I tell them to trust no one, not even their grandma, on the internet – ask questions first and click later.

Share
Mar 06

Blue Screen of Death after installing Microsoft update.

This past February, before I put this blog online, I had an issue with some of my customers’ computers. Some of my customers called me asking for help because their computers wouldn’t load. They said their computers kept rebooting. I know it’s been almost a month now, but I think this issue deserves a post in this blog.

After troubleshooting the issue I traced down the source of the problem to a Microsoft update. More specifically to update KB977165/MS10-015. As soon as I removed this update the computer was able to load windows perfectly fine.

This was odd though. Other computers where the same update was installed didn’t have this issue. This indicated that the problem was caused by something else – not the Microsoft Update. I scanned the computer for viruses and found nothing. I re-installed the update and the computer entered the boot loop once again. After some more troubleshooting I traced the cause of the stop error to the file %System32\drivers\atapi.sys. There was a problem with this file. It had to be infected. I uploaded the file to virustotal.com, and the results came back clean in all but one of the scans. It just said that it was probably infected with a root kit, but it wouldn’t give me more information.

This made sense. Rootkits are designed to hide themselves or other malware from antivirus applications. This is probably why the anti-virus scan I ran didn’t catch anything.

I decided to take a different approach, and I took the hard-drive out of the computer. I connected the hard-drive to another computer and scanned it using an up to date anti-virus (Kaspersky). The scan found several items and cleaned them successfully. One of the infected files was atapi.sys. After this, I installed the update and the computer didn’t reboot again.

So there you have it. The problem was caused by a an infection on the PC.

My suspicions were later confirmed by Microsoft. They apparently took some customers’ computers with them to check them and found the source of the problem. They state on their security response blog that the problem was caused by the Alureon root kit.

They state on their blog:

the presence of Alureon does not allow for a successful boot of the compromised system. The Windows Engineering team continued testing different configurations, as well as retesting several third party applications, leading to our firm conclusion that the blue screen issue is the result of the Alureon rootkit.

So there you have it. They later released a version of the update that does not install if it detects the system is in a state that will cause it to enter this reboot loop.

If you are a victim of this problem, make sure your computer is free from infection. Microsoft recommends to re-install your operating system if you cannot get rid of the infection.

I don’t think this is necessary. If you are in the Phoenix Arizona area and need assistance with this issue, you can contact us and we will gladly help you.

Share