'Indestructible' rootkit enslaves 4.5m PCs in 3 months One of the world's stealthiest pieces of malware infected more than 4.5 million PCs in just three months, making it possible for its authors to force keyloggers, adware, and other malicious programs on the compromised machines at any time. The TDSS rootkit burst on the scene in 2008 and quickly earned the begrudging respect of …
This is seriously scary.
Is the internet doomed the way that the Euro is?
Let's all go back to living in caves. If this goes on, we may not have a choice. In fact, I think I'm going to go looking for a suitable cave tomorrow. I'll need a few dozen rolls of aluminium foil, several tonnes of canned food, and some serious weaponry to keep other cave-hunters at bay.
Punch-line to come.
First, move out of Windows monoculture. Before going back to living in caves, give Linux a try or even better, go directly with OpenBSD.
Yes, I totally agree with you these OS are far from being so polished and full of features like Windows is right now but you still get a headache-free computing experience.
Easier than poking around in the registry--especially for people who, like a lot of my friends, don't know a hex from a USB mouse.
"Okay open file thatapp.conf"
"OK"
"Find the line that says ThatSetting"
"Wait... no... no... Oh I see it."
"Change 'No' to 'Yes' and save the file"
"OK... done. Wait, that's it? That was easy!"
"Yep. That's why I made you buy me the beer first."
I remember reading somewhere back a few months ago that researchers were able to install one of these advanced bootkits on a machine that was running full-system encryption via truecrypt - *one* round of AES. The story was surprising at the time because that was one of the few mitigations of the installation of these bootkits - the idea being that existing (truecrypt boot loader) code was already in the MBR and that overwriting any of it would render the system unbootable since the truecrypt boot loader would be hence corrupt and wouldn't even load. Apparently there was still enough free space in the MBR to write to after the truecrypt code ended.
However, no one said anything about cascade encryption.
If you had a combination of AES+Twofish+Serpent as your system encryption scheme - would that be enough to plug any holes in the MBR to prevent these bootkits from installing? Anyone?
So, the solution to the problem of the nigh undetectable and ineradicable rootkit that will doubtless install stuff to bring your system to a crawl for all eternity is... to preemptively install stuff that will bring your system to a crawl for all eternity.
Can't we just build a linux pre-loader for windows that zeroes the entire memory and then checks to see if anything on your windows partition has changed since last boot, and freaks the hell out if it has? That would probably be less of a pain in the arse.
In fact I have 4 Macs, except having used Windows for 10 years I am not a self-satisfied plank with a Jobs worship fetish! I am an IT realist and to borrow a quote, I know the price of a malware free machine is eternal vigilence, and that includes OSX and Linux. Being smug sanctimonious pillock will lead to a very big and painful fall for you my friend!
----
Pretty typical of windows 7 though, putting looks and fancy menus and options everywhere, but really failing on the security side of things.
----
Could be worst - at least it's possible to run Win7 in limited privileges mode; there's nowhere near as much badly written software, that requires Admin privileges, on Win7 as there has been on any previous version.
I wouldn't say it was great but simply that it fails less hard that previous versions...
Out of the box Win7 is pretty tight. Its only when you start going in and disabling security features that it becomes vulnerable.
And above all of the back and forth between the OSs, if you just practice safe computing, you won't have to deal with any of this crap. Don't click links in emails that you weren't expecting, don't visit port or wares sites, question every pop up, never click YES. Been doing it for years with great success. Even my wife and kids are good at it these days. It isn't rocket science.
Early life forms evolve, and eat the lesser evolved for lunch.
If it's blacklisting other virus servers then it should be fairly easy to see if you're infected ... then I say we take off and nuke the site from orbit. It's the only way to be sure... I believe that's the new US policy and I'd guess that we'd only have to do it a couple of times before the lads from Latvia got the message.
Rootkits exist for Linux as well. This is eight year old information, but the principle should remain.
http://www.sans.org/reading_room/whitepapers/linux/linux-rootkits-beginners-prevention-removal_901
"There are many different versions of rootkits that perform basically the same function. Well known Linux rootkits include LRK, tOrn, and Adore and some Windows Rootkits include NTROOT, NTKap, and Nullsys...
Not only are rootkits designed to hide the presence of an attacker; they are also used to gain future administrator-level (root) access, launch distributed denial of service (ddos), or obtain financial or confidential information."
The article goes on to mention that rootkits overwrites common commands such as ps and netstat to hide rooted activity.
I'd agree that it is harder to get a nasty process to overwrite the MBR than it is for Windows, and that it is easier to detect afterward. Never the less, if the MBR is infected by any process on the machine (including Windows, if you are running dual boot) then you really have problems!
I use (and love) Mint as well but we do CANNOT be complacent. In the first place, while Linux is head and shoulders above Windows and/or OSX, it is not perfect nor unassailable--and tools that exist to attack Linux servers can be used to attack Linux desktops.
That being said, if we do pay attention to the threat and encourage the community to improve security, there's no reason we can't stay out of the realm of low-hanging fruit or even (gasp) produce a reasonably secure operating system.
It's a great shame that all the money that is being spent to combat these deliberate attacks on people, that's everyone, East and West whatever their nationality, whatever their religion, whatever their political belief is being wasted. This attack and other attacks is in reality an utter waste of precious treasure that could be better spent on helping people to have a decent, rather than a squalid life. It's not just the money but the time we are all wasting on protecting our systems from these attacks or rather cleaning out their evil residue. It's not as if one can isolate one's computer from the outside world either. Has anyone calculated just how much money is being spent on protecting us? Back in the good old days it was just the Stoned Virus that one had to contend with!
My XP computer was infected by this - I knew something was there as I noticed slight changes in behaviour and yet my computer was clean according to every anti virus I tried. Booting in safe mode and disabling all startup programs in msconfig (which gets rid of 99% of viruses) didn't work. Searching for recently changed .dll/.exe didn't give any clue either. It had infected the keyboard driver to load the main payload which was saved in some unused sectors. It installed a low-level drive filter to ensure that those sectors are read as zeroes. It then loads the original driver. As it is also encrypted in memory, no anti virus programs can detect it. Eventually I found out about TDSSKiller while searching for undetectable rootkits, which did confirm it was there and wipe it out.
This one wasted me a good few hours, especially since all the anti virus software was totally useless. The really worrying thing is that most users wouldn't have noticed something was wrong in the first place, and even if they did, running the latest anti virus software would convince them there is no infection after all...
Clearly a case for a boot-CD like the bit defender one?
Never had the misfortune to deal with this malware, but a clean boot should help.
Oh, until the bad guys also get round to flashing your BIOS...
Which reminds me of another rant, why can't the dumb buggers who design motherboards have a switch/jumper to enable BIOS updates? (default = locked, of course)
And why can BIOS provide a report of the boot area so you know it has changed? Yes locking it down as in "trusted boot" is a pain and not something I want as it would piss off Tux no end, but at least offering you the SAH-1 hash history (or similar) of the sectors used for booting would let you know if something had been changed and so if a boot/clean CD was worth trying pre-emptively.
I get user after user after user asking me, "How do I tell if I'm infected?" so if there was a really easy internet site that could check IPs against those recorded as being members of a botnet, that could be a real bonus for some people who ... to be honest ... no longer trust their anti-virus solution.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
