14 DAY TRIAL // Security researchers warn that a new variant of a sophisticated rootkit dubbed TDL4 is leveraging an yet-unpatched privilege escalation vulnerability originally exploited in the wild by the infamous Stuxnet worm.
TDL4 is the latest version of a rootkit originally known as TDSS or Tidserv, which appeared back in 2008.
However, unlike its predecessors, TDL4 is capable of bypassing the code signing protection in 64-bit versions of Windows Vista and 7.
By default these systems do not allow drivers that are not digitally signed to be loaded, but TDL4 manages to get around that by changing boot options before the operating system actually starts.
This is done by code injected into the Master Boot Record (MBR) when the computer is initially infected and the rootkit also disables Windows debugging functions so that researchers have a hard time analyzing it.
At the beginning of this month, security experts from Kasperky Lab began seeing new TDL4 samples, which make use of a zero-day privilege escalation vulnerability in the Windows Task Scheduler.
The flaw, which is identified as CVE-2010-3888, is being leveraged to escalate privileges to Local System level in order to bypass UAC (User Access Control) and inject code into the print spooler process.
CVE-2010-3888 is one of the four vulnerabilities exploited by the Stuxnet industrial espionage worm, which shocked the cyber security community with its sophistication when it was discovered this summer.
The status of the security hole is still unpatched despite proof-of-concept exploit code being publicly released for it during the second half of November. Microsoft might be preparing a fix for Patch Tuesday next week.
The TDL4 rootkit also bypasses anti-spoolsv injection sensors installed by the host intrusion prevention components of many security applications.
“TDSS has once again reaffirmed its status as one of the most complex and dangerous malicious programs there is,” Kaspersky Lab expert Sergey Golovanov, concludes.