Next tuesday will be the Microsoft patch day and Microsoft is going to release 17 updates which will address 40 flaws, fixing among all two critical vulnerabilites that allow remote code execution and four elevation of privileges vulnerabilities.
One of the elevation of privileges flaws which is going to be addressed is the one related to the last 0day exploit left still opened and used by the Stuxnet malware. The flaw has been already publically disclosed and relative proof of concept exploit has been released online in November, opening the door for malicious activities. This flaw is officially known to Microsoft since September.
It has become so trivial to exploit this flaw that the authors of the TDL rootkit started using it to avoid limited account and UAC-protected account limitations. As our readers may remember, we already talked about TDL rootkit many times here in our blog as the most advanced rootkit in the wild at the moment, and after this last update we can assume their authors are still pretty active in developing the malware.
The biggest obstacle that TDL rootkit could run into was running in a limited account or in a UAC-protected account because it didn't have the needed privileges to load its own kernel mode driver or to overwrite the MBR. In fact, the rootkit was previously able to infect Windows operating system only after the user had given administrative privileges to it (we are assuming that the user is logged in a limited account or in an account protected by UAC).
Now, by using the Windows Task Scheduler exploit the rootkit is fully able to infect the system without any visual warning that could alert the user. We have found the rootkit being dropped by exploit kits on compromised websites as well as usual vectors like cracks and warez websites.
After the dropper is executed, it tries at the beginning to load its own driver by using the old well-known AddPrintProvidor trick to avoid detection by some of classic HIPS software. If it gets back an ERROR_ACCESS_DENIED status, then the dropper assumes it has been run in a limited account and sets up all the needed stuff to exploit the Windows Task Scheduler CVE-2010-3888 vulnerability. TaskEng.exe, the Windows Task Manager Engine, will then execute the dropper again with SYSTEM privileges.
Beside that, there isn't any major change to the rootkit code itself. The TDL4 kernel mode component has been updated to version 0.03 earlier last month. This update added the filtering by the rootkit of the ATA Pass Through commands, which was one of the last available ways to bypass rootkit filtering engine in user mode - SCSI Pass Through commands were filtered by the rootkit since version 3.273 of previous TDL3 release.
Still the rootkit is able to hit x64 versions of Windows operating systems by overwriting the MBR with its own loader. As we already wrote in a previous blog post, the rootkit patches the MBR and restart the system to immediately get the control of the system startup routine. It then patches the Boot Configuration Data to disable Windows Driver Code Signing check.
To do that it sets up its own Int13h handler and intercepts the reading of the BCD data looking for the BcdLibraryBoolean_EmsEnabled element; when found it is swapped to BcdOSLoaderBoolean_WinPEMode. Windows is then booted in WinPE mode, thus the driver signing check is disabled. The rootkit is free to load its own kernel mode driver. Then the rootkit Int13h handler intercepts the /MININT string and swaps it to IN/MINT, so that Windows does not recognize the bootup parameter and resumes the normal Windows startup.
The rootkit loads at very early stage of the bootup process a fake copy of kdcom.dll which exports a patched copy of the APIs used by the Windows internal debugger - KdD0Transition, KdD3Transition, KdDebuggerInitialize0, KdDebuggerInitialize1, KdReceivePacket, KdRestore, KdSave, KdSendPacket. This prevents the operating system from starting up if it's set in debug mode.
We strongly encourage all users to run Windows Update on Tuesday and fix once and for all this vulnerability already known for three months.
spyware adware malware remover anti spyware free malware and spyware
没有评论:
发表评论