TDL3 rootkit is causing BSOD in 17-year old MS bug patch!

http://www.wilderssecurity.com/showthread.php?t=265297



I posted a thread about this TDL3 monster a while ago: http://www.democraticunderground.com/discuss/duboard.php?az=view_all&address=242x29480

I've read many threads on malware removal forums lately where a combination of TDSSKiller by Kaspersky, ComboFix, MalwareBytes & SuperAntiSpyware, (among others) have gotten rid of this thing.

17 FRIKKIN'year old bug? ((((FACEPALM)))

I read that the BSOD's due to the Micro$hit patch affected mainly XP users. I wonder how many will say "my computer has crashed", I need to get a new one.. and they will go out and buy a Win7 64-bit PC.

Problem solved.

Good job Micro$haft!

Everyone has their own breaking point when it comes to Microsoft and the crap they shovel. For me, it was last summer.

http://www.ubuntu.com

Gonna make a move when I purchase my next box.

Check out my new IE Title Bar:



:evilgrin:

Linux is great for injecting new life into an old machine. You will be surprised at how fast it will run.

1. Seventeen years ago, Windows 3.1, a 16 bit DOS-based operating system, was the latest and greatest. A downloadable update for Windows 3.1 (which is impossible itself because the internet was not yet in widespread usage beyond government and university networks) wouldn't have any affect on today's PC's which are generations past the Windows 3.1 kernel.

2. The author promotes Hitman Pro, which is a bait and switch operation.

3. The TDL rootkit is a real risk, but can be removed much more easily than is claimed by the author. I wonder what the point of that might be? Fear? Money?

4. We had an outbreak of TDL where I work, but it only affected computers that did not have AV software. This seems to (at least anecdotally) refute this claim: "Interesting detail: 74.8% of those PCs were running an up-to-date AV". Again, what's this guy selling? And from which of his asses did he pull that 74.8% figure? His "scan cloud"? Laughable.

5. Over and over, the author stresses the fact that TDL was written well enough to hide from most anti-virus packages. Why then, would the virus be programmed to redirect to certain web pages? That's how most people figure out that they have an infection.

6. The post at the link has some interesting people responding to it. From a quick read, there are quite a few virus authors, script-kiddies, and wannabe-hackers at that site.

7. I have a feeling that the BSOD problem only occurs with XP instances that have never had an SP installed against them since the MS patch was installed on our network on machines that were infected. And all of our machines were patched to Service Pack 3. This underscores the importance of installing updates for MS machines rather than waiting as the author suggests. Once again, I have to ask who's best interests this guy has in mind.

Don't believe everything you read.

http://www.h-online.com/security/news/item/Windows-hole-discovered-after-17-years-Update-908917.html

20 January 2010, 13:36
Windows hole discovered after 17 years - Update

Microsoft Logo Microsoft isn't having an easy time of it these days. In addition to the unpatched hole in Internet Explorer, a now published hole in Windows allows users with restricted access to escalate their privileges to system level – and this is believed to be possible on all 32-bit versions of Windows from Windows NT 3.1 up to, and including Windows 7. While the vulnerability is likely to affect home users in only a minor way, the administrators of corporate networks will probably have their hands full this week.

The problem is caused by flaws in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

Ormandy has also published a suitable exploit which functions under Windows XP, Windows Server 2003 and 2008, Windows Vista and Windows 7. When tested by the The H's associates at heise Security, the exploit opened a command prompt in the system context, which has the highest privilege level, under Windows XP and Windows 7. No patch has become available, although Ormandy reports that Microsoft was already informed of the hole in mid 2009. The developer decided to publish the information regardless because, in his opinion, there is a simple workaround: to disable the MS-DOS subsystem.

http://arstechnica.com/microsoft/news/2010/01/microsoft-investigates-17-year-old-windows-flaw.ars

Microsoft investigates 17-year-old Windows flaw
By Emil Protalinski | Last updated January 20, 2010 1:40 PM
Microsoft investigates 17-year-old Windows flaw

Reports have surfaced about a new security hole that has been in Windows since the release of Windows NT 3.1 on July 27, 1993. The vulnerability is present in all 32-bit versions of Windows released since then, including all supported versions: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. Microsoft has issued Security Advisory (979682) to address the elevation of privilege vulnerability in the Windows kernel, making sure to note that 64-bit versions of Windows, including Windows Server 2008 R2, are not affected.

Thankfully, the flaw isn't in a commonly used application but in the Virtual DOS Machine (VDM) used to support 16-bit applications. There are several vulnerabilities in this implementation, according to Google security team member Tavis Ormandy, who found the issues.

An unprivileged 16-bit program can manipulate the kernel stack of each process, potentially enabling attackers to execute code at system privilege level. The exploit can be used to open a command prompt with the highest privilege level.

http://www.h-online.com/security/news/item/Windows-hole-discovered-after-17-years-Update-908917.html

Windows hole discovered after 17 years - Update

The problem is caused by flaws in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

http://www.microsoft.com/technet/security/advisory/979682.mspx

Microsoft Security Advisory (979682)
Vulnerability in Windows Kernel Could Allow Elevation of Privilege
Published: January 20, 2010 | Updated: February 09, 2010

General Information
Executive Summary

Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-015 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-015. The vulnerability addressed is the Windows Kernel Exception Handler Vulnerability - CVE-2010-0232.