New TDL dropper variants exploit CVE-2013-3660
Recently, we been seeing a new breed of TDL variants going around. These variants look to be clones of the notorious TDL4 malware reported by Bitdefender Labs.
The new TDL dropper variants we saw (SHA1: abf99c02caa7bba786aecb18b314eac04373dc97) were caught on the client machine by DeepGuard, our HIPS technology:
We believe the variants are distributed by some exploit kits.
Last year, ESET mentioned a TDL4 variant (some AV vendors refer to it as Pihar) that employs new techniques to bypass HIPS as well as to elevate a process’s privileges to gain administrator access. The droppers of the variants we recently saw also use the same techniques mentioned in ESET’s blog post, but with some minor updates.
Recap: TDL4 exploits the MS10-092 vulnerability in Microsoft Window’s Task Scheduler service to elevate the malware’s process privileges in order to load the rootkit driver. The new variants instead exploits the CVE-2013-3660 EPATHOBJ vulnerability discovered by security researcher Tavis Ormandy:
One of the notable differences between the new variants and classic TDL4 is the configuration file, which is embedded in the resource section of the dropper as RC4 encoded data:
This is hardly the first malware family to exploit CVE-2013-3660, but it is a neat demonstration of how fast malware authors take up publicly available exploit code – in this case, the exploit code went public three months ago.
Post by — Wayne
On 26/09/13 At 08:48 AM