One of the world's more advanced pieces of malware has just gotten a makeover that could make it even more resistant to takedown efforts, security researchers said. An analysis of recent updates to the TDL4 rootkit, which is also known as TDSS and Alureon, shows that components including its kernel-mode driver and user-mode …
... its use of low-level instructions made it hard...
The solution is obvious. We must make low-level code illegal immediately, and arrest anyone suspected of being capable of creating it. The only secure future is through Java.
The days of these hackers with their disassembly programs is numbered. One day soon, all of the world's fundamental algorithms will have been coded in Java, and we will be able to start the cleanup.
First up against the wall will be the assembly-language coders, followed quickly by anyone who has ever produced a working program in a terrorism-capable language such as C, ALGOL, FORTRAN, COBOL or the like.
For C++, a subtle test will be needed: coders will be asked to write a program which reads each element of a string array and prints it. Any hacker who manages this task without creating a class with an iterator method will swiftly follow their subversive co-conspirators.
It's only common sense. I mean, we don't let nuclear physicists run around and do anything they want to, innit?
Someone's irony detector is malfunctioning.
(Currently studying natural language processing and we're covering text classification. Maybe I should train up a browser plugin to detect and highlight irony for those that can't do it themselves...)
To quote professor Farnsworth.....
A world coded in Java? "I dont want to live on this planet anymore"
Mine's the one with the C# book in the pocket.
I never was able to imagine hell... till your post!
Super Sub Atomic ParticularIT ..... Super SAP IT for AI Peculiar ProgramMING Systems
:-) Nice post, Big Brother nyelvmark. However, with regard to that last short paragraph and question, .... "It's only common sense. I mean, we don't let nuclear physicists run around and do anything they want to, innit?" .... don't be putting any good money on that being the case, for you will lose it.
Sarcasm apparently too subtle for the downvoter(s)
Python is what you need.
Python is what you need.
For the poor sod who downvoted the irony above, I'd suggest a year in Guatanmo, being forced to watch Monty Python at high volume...
Arresting all the C++ programmers won't work.
I know you are joking, but it still won't work. The reason is if there is no low level allowed, then Java would become the new low level. Which means future languages would then be written in Java and hackers would then treat Java as if it was the new low level language to write hacks in. :)
At which point we round up all the Java coders and shoot them, leaving only the future language coders, which would then become the new lowest level. Then people will write even more futuristic languages with that new low level and hackers will treat that as the language to attack...
... At which point ... I'm sensing my brain is reaching a stack overflow in this discussion. :)
I'm reminded of the phrase, "Its turtles all the way down". The more layers we add, the more layers the hackers have to choose from to attack. :)
Sarcasm doesn't work well on El Reg's corner of the web. Nearly all of my many downvotes are when Im being sarcastic but don't use the Joke Alert icon.
"create a hidden partition at the end of the infected machine's hard disk and set it to active. This ensures that malicious code stashed in it is executed before the Windows operating system is run."
Who runs the code how? The Windows bootloader?
Who runs the code how? The Windows bootloader?
The TDL4 virus is a bootloader. It runs the Windows bootloader: It is run by the ROM bootloader, which is run by the uP bootloader.
The process, starting with the coded-in-silicon behaviour of the uP at power-up, has been compared to pulling your self up by your own hair, shoe-laces, or boot-straps
nyelvmark: I hope that's a poor attempt at humour
<input name=title type=text value="" class="discussion" tabindex=5 maxlength=100 >
"Newer versions create a hidden partition at the end of the infected machine's hard disk and set it to active."
Meaning it would take AT LEAST 1990s-era BIOS technology to stop!
Hidden partition ?
This means booting from a live CD an performing an offline scanning should be the norm by now.
Re: booting from a live CD
Actually, building a PC that boots from a replaceable (unlike flashable BIOS) but read-only (unlike flashable BIOS) medium really *ought* to have been the norm for the last couple of decades. Instead, we've had moronic attempts to move the goalposts with OS vendors and chip manufacturers vying to introduce new levels of even more trusted hypervisors that only people with deep pockets can get their code signed for.
A CD-ROM is a rather clunky way of doing it, but it works.
We already thought of that and it's been SOP for several years.
Winblows - ever so secure!
Not so fast...
I'm as big a fan of Linux as anyone out there... and I refuse to have a Windows machine, BUT... this kind of rootkit would work against a Linux machine too, and a good Trojan can still trick the user into installing it.
In this case we should be working together to detect these kind of shenanigan instead of flaming each other.
Would work on Linux ?
"a good Trojan can still trick the user into installing it."
Only if the user was logged in as root while reading email/whatever.
Just because something is ''possible'' does not say much about how likely it is to happen, for that you need to look at the other links in the chain that make it possible. We are fortunate that these links are much tougher on Unix based systems than they ever have been on MS Windows.
LInux kernel bugs
Don't be too complacent. Kernel vulnerabilities have in the past existed, that would allow a vulnerable kernel to be root-kitted without a human doing anything ill-advised as root. Other such vulnerabilities almost certainly exist at present. A smart black-hat will scour the code for such, and when he finds one, keep quiet about it while targetting it for root-kit delivery.
Trying to deal with possible infection from inside a compromised operating system -- any system -- is a bad idea. Offline scanning, booted off trusted read-only media, is the way to go. There is just one problem with this ... absent write-protect switches on hard drives, the offline scanner itself becomes a perfect vector for malware distribution, if it can be compromised.
We can't win. Two-plus billion years of evolution has been playing the same games, and the parasites always come out on top.
One of Linux's strengths is actually the same as the one that higher organisms have come up with - diversity, rather than a monoculture of identical clones. The logical next step will be building kernels and root-mode code from source through some sort of compile-time randomizer, so that every installation has a different memory footprint, despite performing identical high-level functions.
The key is in the name
It's a *root* kit, it is the embodiment of privilege escalation. Windows does not have a root user, it has admins. If it were a strictly Windows phenomenon, it would be called an Adminkit.
I hate to say it (really, I do), but rootkits started in UNIX, and I doubt that Linux has completely patched all avenues of privilege escalation. Besides, a lot of this sort of thing is Trojans, installed by users; and as my father taught me: "You can't fix stupid."
Some modern OSes have ASLR
Or Address Space Layout Randomisation, which is very similar to the idea you describe.
Both Windows and Mac OS have this feature.
On top of that...
...how do you know the write-protected media you're using wasn't compromised BEFORE it was write-protected? There have been a few instances of trojaned PRESSED CDs (which are by design read-only) because an unknown trojan somehow managed to get into the gold disc production process and passed everything on into the press.
Then how does Java talk to the CPU?
At SOME point, you're going to need machine language, as that's the ONLY thing the CPU really understands. You eventually have a "Quis custodiet ipsos custodes?" situation in which you have to trust the coder of your Java interpreter/compiler.
How does Java talk to the CPU?
Bloody slowly, that's how. Slow, crappy, ugly language. Die die die!
Let me suggest a possibly radical ideal.
Building secure software systems is a *process* not an event.
Anyone who starts by calling a team meeting and telling them "We're going to right *secure* software from now on" is clearly a PHB who has f***all idea of how to create lasting change.
Does anyone think changing how a software development team does its work is going to be any *easier* than how (say) the NHS does its job?
I'd suggest it's not the lack of information on how to do this that is a problem.
It's *wanting* to do it in the first place that is and the skills to make the changes necessary for it to be applied.
You know John,
that just CRAZY talk!
I copped for alureon
and it was a bastard to remove using "advanced techie" skills (reg edit, ms config, event viewer, startup cpl etc etc).
I believe it was kaspersky whom had a standalone removal tool...
I ran this in the end as it became a time vs effort required kind of situation.
But can non-admin install it?
"The solution is obvious. We must make low-level code illegal immediately"
Already done: it's called "Non-Administrator User Accounts."
OK, so it isn't making low-level code illegal. But I've yet to see evidence that this thing can install without having administrative privilege. And the same tried and tested rules apply for keeping that privilege safely locked away.
a justification for secure boot?
Of course the problem is the attack getting root in the first place. Secure boot just closes one way of keeping it but introduces new problems. Couldn't the root kit removal kit check how the machine is to boot? Couldn't the OS be hardened better to not be compromised in the first place? Secure boot is like saying the OS cann't be secured and root kit removers cann't do thier job either. It is waving the white flag on software and retreating to hardware while not fixing the real problem. Unless it's not about security but locking hardware.......
Line of attack
This should remove the PITA rootkit:
1. Run Kaspersky's TDSSKiller to removed the infected files from your PC.
2. Boot the PC using a GParted Live CD, delete the rootkit's partition, and set the Windows partition to active.
3. Let the PC boot normally.
If Windows complains about booting, break out your installation disc. Boot from it and then perform the steps for your OS:
- Select the "Recovery console".
- Run "fixmbr" (fix master boot record).
- Run "fixboot".
- Select "Repair your computer".
- Select "Command prompt".
- Run "bootrec /fixmbr".
- Run "bootrec /fixboot".
Wow, impressive, but I'll leave you to try to explain that to each of the 4.5m infected PCs' owners.
This should remove the PITA rootkit:
Step 1: browse to ubuntu.com...
Even Linux won't help you
if the media is already compromised. Although installing after you have clean media might.
How would you know which partition to delete if you are not familiar with partitions?
Or more simply, use AVG and run the rootkit scan. Worked for me when TDSSKiller refused to execute. I expect other AV programmes do the same. Just a shame they don't pick it up when it gets installed, but wait until you scan. I had a pc that wouldn't boot from a Windows cd because it had a virus. AVG fixed it.
Hmmm... an idea:
How about somebody write some software to go inside your *Router* to monitor what's going in and out?
In fact, adding some "security" software to routers would be a wonderful USP for the router vendors.
Umm it exists already
Sonicwall has had this sort of thing for years. The biggest problem I see with this solution is the god awful cost involved in keeping it up to date. It can be 10 times more expensive than normal AV "solutions" (I use solutions loosely as they dont seem to be upto the task very much anymore).
On a side note (and yes I know this is the wrong place but meh)
"Your email address is never published"
Never published in the comments but it sure is to other users via e-mail......zing
Plus there's Encryption.
Routers (in fact, any form of packet sniffer) can do sod all against encrypted connections since (by design) only the endpoints know what is inside.
java CAN call native api
That's part of JNI spec ... U can call any c++ dll stub via JNI.
- Vid Hubble 'scope scans 200,000-ton chunky crumble conundrum
- Bugger the jetpack, where's my 21st-century Psion?
- Google offers up its own Googlers in cloud channel chumship trawl
- Interview Global Warming IS REAL, argues sceptic mathematician - it just isn't THERMAGEDDON
- Apple to grieving sons: NO, you cannot have access to your dead mum's iPad