Feeds

back to article 'Indestructible' rootkit enslaves 4.5m PCs in 3 months

One of the world's stealthiest pieces of malware infected more than 4.5 million PCs in just three months, making it possible for its authors to force keyloggers, adware, and other malicious programs on the compromised machines at any time. The TDSS rootkit burst on the scene in 2008 and quickly earned the begrudging respect of …

COMMENTS

This topic is closed for new posts.

Page:

Alert

Oh, shit.

This is seriously scary.

Is the internet doomed the way that the Euro is?

Let's all go back to living in caves. If this goes on, we may not have a choice. In fact, I think I'm going to go looking for a suitable cave tomorrow. I'll need a few dozen rolls of aluminium foil, several tonnes of canned food, and some serious weaponry to keep other cave-hunters at bay.

Punch-line to come.

0
0
Happy

Don't be that pessimist !

First, move out of Windows monoculture. Before going back to living in caves, give Linux a try or even better, go directly with OpenBSD.

Yes, I totally agree with you these OS are far from being so polished and full of features like Windows is right now but you still get a headache-free computing experience.

7
8
Facepalm

RE: Oh, shit.

The internet isn't doomed - this is just another example of "Windows security" at work!

6
3
Anonymous Coward

headache free?

really? is having to dive into an obsure text file located in one of many locations to change a minor config really not a headache?

9
9
Anonymous Coward

Re: headache free?

Andrew C, I feel your pain brother. I hate working with the registry, boot.ini, win.ini, system.ini, /blah/blah/blah/hosts, etc too.

15
1

Wrong

@ AC 07:49

Windows is far from being polished and full of features. I use Linux and it does everything I need it to do, and I use Windows at work and am constantly frustrated due to it missing things I need that are in Linux!

6
3
Bronze badge
Go

Speaking of caves....

I would absolutely love to build (dig? blast?) a Hobbit Burrow to live in and use geothermal power to take me off the grid. One day.......

:)

2
0
Linux

Uh...

Easier than poking around in the registry--especially for people who, like a lot of my friends, don't know a hex from a USB mouse.

"Okay open file thatapp.conf"

"OK"

"Find the line that says ThatSetting"

"Wait... no... no... Oh I see it."

"Change 'No' to 'Yes' and save the file"

"OK... done. Wait, that's it? That was easy!"

"Yep. That's why I made you buy me the beer first."

4
1

Doomed Euro?

Right OK then, so the Euro is doomed. So why is the pound losing value against it on a daily basis? Tell me that Private Fraser.

2
0

Headache free - sort of

Yes, your security headache will be gone. To be replaced by a usability headache. :)

For the record, I work both on windoze and nix systems.

5
3
Devil

Amazing info.

I remember reading somewhere back a few months ago that researchers were able to install one of these advanced bootkits on a machine that was running full-system encryption via truecrypt - *one* round of AES. The story was surprising at the time because that was one of the few mitigations of the installation of these bootkits - the idea being that existing (truecrypt boot loader) code was already in the MBR and that overwriting any of it would render the system unbootable since the truecrypt boot loader would be hence corrupt and wouldn't even load. Apparently there was still enough free space in the MBR to write to after the truecrypt code ended.

However, no one said anything about cascade encryption.

If you had a combination of AES+Twofish+Serpent as your system encryption scheme - would that be enough to plug any holes in the MBR to prevent these bootkits from installing? Anyone?

0
1

Too big

I'm talking more from intuition from knowledge, but surely it'd be more likely to just mess up the MBR than just stop the rootkit installing? Admittedly that tells you something's up, but by then it's probably too late.

0
0
Thumb Up

Great solution...

So, the solution to the problem of the nigh undetectable and ineradicable rootkit that will doubtless install stuff to bring your system to a crawl for all eternity is... to preemptively install stuff that will bring your system to a crawl for all eternity.

Can't we just build a linux pre-loader for windows that zeroes the entire memory and then checks to see if anything on your windows partition has changed since last boot, and freaks the hell out if it has? That would probably be less of a pain in the arse.

14
1
Silver badge
Thumb Up

Re: Great solution

Great solution, JeevesMkII.

1
1
FAIL

Mitigation? Detection?

It is one thing to raise a warning. But an article on a pervasive rootkit, without any discussion of detection or mitigation measures, is worse than useless (IMO).

15
0
Bronze badge
Facepalm

@Great Solution...

That's been commercially available for years. It's called Norton.

0
4
Windows

That would work if Windows made any sense

Unfortunately Windows is constantly changing itself and tools that do that kind of thing tend to overwhelm you with false positives (and that's a shame). Maybe if it just looked at the MBR....

0
0

Microsoft Standalone System Sweeper

Microsoft has in beta a program called Standalone System Sweeper. It creates an ISO to boot from. When you do, it checks for rootkits that cannot be checked when booting from the MBR. See http://connect.microsoft.com/systemsweeper for details.

0
0
Anonymous Coward

Scan Before Use

It took the porkers at MS long enough to get around to doing this, not like it is a new idea or anything. But at least they are finally doing it.

0
0
Trollface

Lucky for me...

I've got a Mac, and therefore can't get viruses.

9
16
Silver badge
Linux

Yeah ...

GLWT

0
0
Bronze badge
Stop

So have I....

In fact I have 4 Macs, except having used Windows for 10 years I am not a self-satisfied plank with a Jobs worship fetish! I am an IT realist and to borrow a quote, I know the price of a malware free machine is eternal vigilence, and that includes OSX and Linux. Being smug sanctimonious pillock will lead to a very big and painful fall for you my friend!

11
0

Pssst....

[hint: did you not see the Troll icon?]

3
0
Thumb Up

Hahaha

Nice one! I see many here didn't get your joke though.

0
1
42
FAIL

Indestructable?

Except by Kasperskys tdss killer. Removed it quite easily last week.

4
0
Windows

re: Removed it

Are you sure it's gone? Are you sure you haven't been reinfected with a newer version?

1
0
Thumb Down

Hmmm

I have been doing some rather mundane fixing of this thing recently.

I *think* one solution is to always prompt for driver installations.

Pretty typical of windows 7 though, putting looks and fancy menus and options everywhere, but really failing on the security side of things.

5
2

Win7

----

Pretty typical of windows 7 though, putting looks and fancy menus and options everywhere, but really failing on the security side of things.

----

Could be worst - at least it's possible to run Win7 in limited privileges mode; there's nowhere near as much badly written software, that requires Admin privileges, on Win7 as there has been on any previous version.

I wouldn't say it was great but simply that it fails less hard that previous versions...

0
0

Disagree

Out of the box Win7 is pretty tight. Its only when you start going in and disabling security features that it becomes vulnerable.

And above all of the back and forth between the OSs, if you just practice safe computing, you won't have to deal with any of this crap. Don't click links in emails that you weren't expecting, don't visit port or wares sites, question every pop up, never click YES. Been doing it for years with great success. Even my wife and kids are good at it these days. It isn't rocket science.

1
3

Does it kill grubs?

if the MBR contains GRUB or LILO instead of a Windows MBR?

0
0

Indestructible? And almost inifinite waste of time and money!

It's a great shame that all the money that is being spent to combat these deliberate attacks on people, that's everyone, East and West whatever their nationality, whatever their religion, whatever their political belief is being wasted. This attack and other attacks is in reality an utter waste of precious treasure that could be better spent on helping people to have a decent, rather than a squalid life. It's not just the money but the time we are all wasting on protecting our systems from these attacks or rather cleaning out their evil residue. It's not as if one can isolate one's computer from the outside world either. Has anyone calculated just how much money is being spent on protecting us? Back in the good old days it was just the Stoned Virus that one had to contend with!

1
3
Silver badge
Happy

SSDD - Darwin in action

Early life forms evolve, and eat the lesser evolved for lunch.

If it's blacklisting other virus servers then it should be fairly easy to see if you're infected ... then I say we take off and nuke the site from orbit. It's the only way to be sure... I believe that's the new US policy and I'd guess that we'd only have to do it a couple of times before the lads from Latvia got the message.

2
1
Linux

Well...

As long as my Linux Mint is safe, I couldn't care less.

0
14
Thumb Down

Smugness is an enemy of security.

Rootkits exist for Linux as well. This is eight year old information, but the principle should remain.

http://www.sans.org/reading_room/whitepapers/linux/linux-rootkits-beginners-prevention-removal_901

"There are many different versions of rootkits that perform basically the same function. Well known Linux rootkits include LRK, tOrn, and Adore and some Windows Rootkits include NTROOT, NTKap, and Nullsys...

Not only are rootkits designed to hide the presence of an attacker; they are also used to gain future administrator-level (root) access, launch distributed denial of service (ddos), or obtain financial or confidential information."

The article goes on to mention that rootkits overwrites common commands such as ps and netstat to hide rooted activity.

I'd agree that it is harder to get a nasty process to overwrite the MBR than it is for Windows, and that it is easier to detect afterward. Never the less, if the MBR is infected by any process on the machine (including Windows, if you are running dual boot) then you really have problems!

2
0
FAIL

re: I couldn't care less

So when the botnet takes down a service you want to use, or just generally clogs up the interwebs, your Linux Mint will magically overcome this how?

5
1
Linux

You should care

I use (and love) Mint as well but we do CANNOT be complacent. In the first place, while Linux is head and shoulders above Windows and/or OSX, it is not perfect nor unassailable--and tools that exist to attack Linux servers can be used to attack Linux desktops.

That being said, if we do pay attention to the threat and encourage the community to improve security, there's no reason we can't stay out of the realm of low-hanging fruit or even (gasp) produce a reasonably secure operating system.

0
0
Silver badge
Holmes

ad-hoc DHCP servers?

Hmmm.... I better check out those bizarre flip-flops I have seen recently around here. I thought it was just the iPhones behaving crappily, but who knows.

0
0
Joke

GPL?

Doesn't this thing have some GPL code in it? Maybe we can get them into court for breaking the terms of the GPL license, plus ask them to hand back some of their code as suggested by the GPL?

2
0
Silver badge

gmer

bottom of page

http://www2.gmer.net/rootkits.php

1
0

Title goes here

So how would one go about removing such an infection?

1
0
Silver badge

More importantly...

...how does one go about DETECTING such an infection?

I you know it's there, you can always do something about it (even if it means reinstalling every single machine from scratch in a controlled manner). If you don't know there's a problem, you won't fix it.

2
0
Mushroom

Nuke the site from orbit...

...it's the only way to be sure.

DoD wipe the whole drive and reinstall from clean media-- and hope you've got a good data backup.

0
0
Boffin

The end is nigh

We're doomed, DOOMED I tell ya!

Viruses that disable other viruses, corkers, the virus software is cleverer than the Anti-virus software, come to think of it it's also cleverer than the OS (Windows 7 that is).

Let's all move to the cloud cos it's dead safe so it is.

3
0
Trollface

Shurely that should be Master Book Record?

This one will run and run...

1
0
Flame

Definitely the worst virus I've ever encountered

My XP computer was infected by this - I knew something was there as I noticed slight changes in behaviour and yet my computer was clean according to every anti virus I tried. Booting in safe mode and disabling all startup programs in msconfig (which gets rid of 99% of viruses) didn't work. Searching for recently changed .dll/.exe didn't give any clue either. It had infected the keyboard driver to load the main payload which was saved in some unused sectors. It installed a low-level drive filter to ensure that those sectors are read as zeroes. It then loads the original driver. As it is also encrypted in memory, no anti virus programs can detect it. Eventually I found out about TDSSKiller while searching for undetectable rootkits, which did confirm it was there and wipe it out.

This one wasted me a good few hours, especially since all the anti virus software was totally useless. The really worrying thing is that most users wouldn't have noticed something was wrong in the first place, and even if they did, running the latest anti virus software would convince them there is no infection after all...

5
0
Silver badge

@Wilco 1

Clearly a case for a boot-CD like the bit defender one?

Never had the misfortune to deal with this malware, but a clean boot should help.

Oh, until the bad guys also get round to flashing your BIOS...

Which reminds me of another rant, why can't the dumb buggers who design motherboards have a switch/jumper to enable BIOS updates? (default = locked, of course)

And why can BIOS provide a report of the boot area so you know it has changed? Yes locking it down as in "trusted boot" is a pain and not something I want as it would piss off Tux no end, but at least offering you the SAH-1 hash history (or similar) of the sectors used for booting would let you know if something had been changed and so if a boot/clean CD was worth trying pre-emptively.

1
0
Anonymous Coward

MBR block

I'm sure I there were bios's 10 years ago, that used to report/prompt for write, or block any attempt to write to the MBR - where have they gone?

0
0
Facepalm

But but but but

That was inconvenient! You had to open your case and set a jumper to flash the BIOS! The horror! The horror! Yep, convenience strikes again.

1
0
Pirate

Physical

Agree, I believe that the only way to protect the boot sector would be to have on an EEPROM which has a physical switch (like a usb flash drive that has a read only switch). Bastards can't infect it then.

2
0
Anonymous Coward

A really easy determination is needed

I get user after user after user asking me, "How do I tell if I'm infected?" so if there was a really easy internet site that could check IPs against those recorded as being members of a botnet, that could be a real bonus for some people who ... to be honest ... no longer trust their anti-virus solution.

0
2

Page:

This topic is closed for new posts.