New TDL dropper variants exploit CVE-2013-3660

Recently, we been seeing a new breed of TDL variants going around. These variants look to be clones of the notorious TDL4 malware reported by Bitdefender Labs.

The new TDL dropper variants we saw (SHA1: abf99c02caa7bba786aecb18b314eac04373dc97) were caught on the client machine by DeepGuard, our HIPS technology:

TDL4_clone_exploited_in_the_wild (295k image)

We believe the variants are distributed by some exploit kits.

Last year, ESET mentioned a TDL4 variant (some AV vendors refer to it as Pihar) that employs new techniques to bypass HIPS as well as to elevate a process’s privileges to gain administrator access. The droppers of the variants we recently saw also use the same techniques mentioned in ESET’s blog post, but with some minor updates.

Recap: TDL4 exploits the MS10-092 vulnerability in Microsoft Window’s Task Scheduler service to elevate the malware’s process privileges in order to load the rootkit driver. The new variants instead exploits the CVE-2013-3660 EPATHOBJ vulnerability discovered by security researcher Tavis Ormandy:

TDL4_clone_ExploitingCVE_2013_3660 (30k image)

One of the notable differences between the new variants and classic TDL4 is the configuration file, which is embedded in the resource section of the dropper as RC4 encoded data:

TDL4_clone_config_ini (6k image)

This is hardly the first malware family to exploit CVE-2013-3660, but it is a neat demonstration of how fast malware authors take up publicly available exploit code – in this case, the exploit code went public three months ago.

Post by — Wayne

On 26/09/13 At 08:48 AM

Read more: New TDL dropper variants exploit CVE-2013-3660

Story added 26. September 2013, content source with full text you can find at link above.