TDDS Rootkit - TDL4 Starts Using 0-Day Vulnerability

The TDDS rootkit family is one of the most advanced malware attacks circulating. This analysis by Kaspersky Labs shares a recent modification to TDL4 to use a new unpatched Windows vulnerability.

TDDS Rootkit - TDL4 Starts Using 0-Day Vulnerability
http://www.securelist.com/en/blog/337/TDL4_Starts_Using_0_Day_Vulnerability

QUOTE: In early December, Kaspersky Lab experts detected samples of the malicious program TDL4 (a new modification of TDSS) which uses a 0-day vulnerability for privilege escalation under Windows 7/2008 x86/x64 (Windows Task Scheduler Privilege Escalation, CVE: 2010-3888). The use of this vulnerability was originally detected when analyzing Stuxnet.

Using an exploit for this vulnerability allows the rootkit TDL4 to install itself on the system without any notification from the UAC security tools. UAC is enabled by default in all the latest versions of Windows. After the Trojan launches in the system, e.g. in Windows 7, its process receives the filtered token (UAC in operation) with the regular user privileges. An attempt to inject into the print spooler process terminates with an error (ERROR_ACCESS_DENIED). 

New modifications, however, attempt to use the 0-day exploit to escalate its privileges up to LocalSystem level. TDSS has once again reaffirmed its status as one of the most complex and dangerous malicious programs there is.