The TDL4 rootkit, which reared its head last month as the latest evolution of the venerable TDSS malware family, is now using one of the Windows bugs that was first seen in use by Stuxnet.
The latest modification to TDL4 enables the rootkit to use the unpatched Windows Task Scheduler vulnerability on Windows 7 machines to escalate its privileges once it is resident on an infected PC, according to an analysis of the malware by Kaspersky Lab analyst Sergey Golovanov. TDL4 has been active for some time now, but recent samples of the malware have turned up with an exploit for the Task Scheduler bug.
“Using an exploit for this vulnerability allows the rootkit TDL4 to
install itself on the system without any notification from the UAC
security tools. UAC is enabled by default in all the latest versions of
Windows,” Golovanov said in his analysis. “After the Trojan launches in the system, e.g. in Windows 7, its
process receives the filtered token (UAC in operation) with the regular
user privileges. An attempt to inject into the print spooler process
terminates with an error (ERROR_ACCESS_DENIED).
“[The] error occurs when TDL4 attempts to intrude into print spooler process. Earlier modifications of this malicious program also try to penetrate
the print spooler process. New modifications, however, attempt to use
the 0-day exploit to escalate its privileges up to LocalSystem level.”
This bug is one of four vulnerabilities that was first noticed during the initial analysis of what would come to be known as Stuxnet. The vulnerability is not a remote code-execution bug, but can be used to escalate an attacker’s privileges once he’s already gotten a foothold on a compromised machine. Exploit code for the Windows Task Scheduler bug was posted late last month.
TDL4 is the newest evolution of the TDSS malware, and it contains functionality that enables it to get around some of the low-level security defenses that Microsoft has added to recent versions of Windows.