NEWS FROM THE LAB - Thursday, September 26, 2013

New TDL Dropper Variants Exploit CVE-2013-3660 Posted by ThreatResearch @ 08:48 GMT

Recently, we been seeing a new breed of TDL variants going around. These variants look to be clones of the notorious TDL4 malware reported by Bitdefender Labs.

The new TDL dropper variants we saw (SHA1: abf99c02caa7bba786aecb18b314eac04373dc97) were caught on the client machine by DeepGuard, our HIPS technology (click the image below to embiggen). From the detection name, we can see that the variants are distributed by some exploit kits.

TDL4_clone_exploited_in_the_wild (295k image)

Last year, ESET mentioned a TDL4 variant (some AV vendors refer to it as Pihar) that employs new techniques to bypass HIPS as well as to elevate a process's privileges to gain administrator access. The droppers of the variants we recently saw also use the same techniques mentioned in ESET's blog post, but with some minor updates.

Recap: TDL4 exploits the MS10-092 vulnerability in Microsoft Window's Task Scheduler service to elevate the malware's process privileges in order to load the rootkit driver. The new variants instead exploits the CVE-2013-3660 EPATHOBJ vulnerability discovered by security researcher Tavis Ormandy:

TDL4_clone_ExploitingCVE_2013_3660 (30k image)

One of the notable differences between the new variants and classic TDL4 is the configuration file, which is embedded in the resource section of the dropper as RC4 encoded data:

TDL4_clone_config_ini (6k image)

This is hardly the first malware family to exploit CVE-2013-3660, but it is a neat demonstration of how fast malware authors take up publicly available exploit code - in this case, the exploit code went public three months ago.

Post by — Wayne