The Latest in IT Security

New TDL Dropper Variants Exploit CVE-2013-3660

02
Oct
2013

Recently, we been seeing a new breed of TDL variants going around. These variants look to be clones of the notorious TDL4 malware reported by Bitdefender Labs.

The new TDL dropper variants we saw (SHA1: abf99c02caa7bba786aecb18b314eac04373dc97) were caught on the client machine by DeepGuard, our HIPS technology (click the image below to embiggen). From the detection name, we can see that the variants are distributed by some exploit kits.

TDL4_clone_exploited_in_the_wild (295k image)

Last year, ESET mentioned a TDL4 variant (some AV vendors refer to it as Pihar) that employs new techniques to bypass HIPS as well as to elevate a process’s privileges to gain administrator access. The droppers of the variants we recently saw also use the same techniques mentioned in ESET’s blog post, but with some minor updates.

Recap: TDL4 exploits the MS10-092 vulnerability in Microsoft Window’s Task Scheduler service to elevate the malware’s process privileges in order to load the rootkit driver. The new variants instead exploits the CVE-2013-3660 EPATHOBJ vulnerability discovered by security researcher Tavis Ormandy:

TDL4_clone_ExploitingCVE_2013_3660 (30k image)

One of the notable differences between the new variants and classic TDL4 is the configuration file, which is embedded in the resource section of the dropper as RC4 encoded data:

TDL4_clone_config_ini (6k image)

This is hardly the first malware family to exploit CVE-2013-3660, but it is a neat demonstration of how fast malware authors take up publicly available exploit code – in this case, the exploit code went public three months ago.

Post by — Wayne

Leave a reply


Categories

THURSDAY, NOVEMBER 21, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments