News

TDL4 rootkit copies Stuxnet, targets Windows users

Ron Condon

The cybercriminals behind the TDL4 rootkit, a variant of the TDSS (Alureon) rootkit that caused Microsoft Windows "Blue Screen" problems earlier this year, have copied the Stuxnet

    Requires Free Membership to View

worm, targeting a zero-day vulnerability in the Windows Task Scheduler.

 

TDSS has once again reaffirmed its status as one of the most complex and dangerous malicious programs there is.
Sergey Golovanov,
researcher, Kaspersky Lab

The rootkit's makers have added a new string to its bow, incorporating a zero-day vulnerability that has only previously been used by the Stuxnet worm, according to researchers at Kaspersky Labs.

The TDL4 rootkit can target a privilege escalation flaw in the Windows Task Scheduler, which affects users of Windows 7 and Vista. The flaw enables the rootkit to install itself on the system and bypass the User Access Control security tools in Windows that would normally prevent it loading, according to Kaspersky researcher Sergey Golovanov.

"TDSS has once again reaffirmed its status as one of the most complex and dangerous malicious programs there is," Golovanov wrote on the Kaspersky Labs' Securelist blog.

Stuxnet, which was detected in July targeting a Microsoft Windows zero-day vulnerability, was found to be targeting four additional Windows zero-day flaws. The worm sought out Siemens' Supervisory Control and Data Acquisition (SCADA) software and then injected itself into programmable logic controllers that monitor temperature, pressure and other controls. Security experts warned that it could be used as a blueprint for future malware writers.

Previous versions of TDL4 are blocked by most antimalware programs, but Golovanov wrote that the rootkit seems to be under constant development by some talented developers. The latest variant is capable of penetrating a computer even if antivirus is installed and running.

Thus far the rootkit has been used by organized cybercriminals to grow their botnet army of zombie machines and then used for affiliate marketing and SEO poisoning campaigns, Golovanov wrote. When infecting a computer, the rootkit contacts the command-and-control (C&C) server for orders and installs more malware on the computer.

"The fact that bot communication with the C&C is encrypted makes it significantly more difficult to analyse network packets," Golavanov wrote. "An extremely powerful rootkit component hides both the most important malware components and the fact that the computer has been infected. … The cybercriminals profit by selling small botnets and using blackhat SEO."