back to article World's stealthiest rootkit gets a makeover

One of the world's more advanced pieces of malware has just gotten a makeover that could make it even more resistant to takedown efforts, security researchers said. An analysis of recent updates to the TDL4 rootkit, which is also known as TDSS and Alureon, shows that components including its kernel-mode driver and user-mode …

COMMENTS

This topic is closed for new posts.
  1. nyelvmark
    Coat

    ... its use of low-level instructions made it hard...

    The solution is obvious. We must make low-level code illegal immediately, and arrest anyone suspected of being capable of creating it. The only secure future is through Java.

    The days of these hackers with their disassembly programs is numbered. One day soon, all of the world's fundamental algorithms will have been coded in Java, and we will be able to start the cleanup.

    First up against the wall will be the assembly-language coders, followed quickly by anyone who has ever produced a working program in a terrorism-capable language such as C, ALGOL, FORTRAN, COBOL or the like.

    For C++, a subtle test will be needed: coders will be asked to write a program which reads each element of a string array and prints it. Any hacker who manages this task without creating a class with an iterator method will swiftly follow their subversive co-conspirators.

    It's only common sense. I mean, we don't let nuclear physicists run around and do anything they want to, innit?

    1. AlexH
      WTF?

      Someone's irony detector is malfunctioning.

      (Currently studying natural language processing and we're covering text classification. Maybe I should train up a browser plugin to detect and highlight irony for those that can't do it themselves...)

    2. FrankAlphaXII
      Coat

      To quote professor Farnsworth.....

      A world coded in Java? "I dont want to live on this planet anymore"

      Mine's the one with the C# book in the pocket.

    3. amanfromMars 1 Silver badge

      Super Sub Atomic ParticularIT ..... Super SAP IT for AI Peculiar ProgramMING Systems

      :-) Nice post, Big Brother nyelvmark. However, with regard to that last short paragraph and question, .... "It's only common sense. I mean, we don't let nuclear physicists run around and do anything they want to, innit?" .... don't be putting any good money on that being the case, for you will lose it.

    4. roselan
      Meh

      I never was able to imagine hell... till your post!

    5. DF118
      FAIL

      Sarcasm apparently too subtle for the downvoter(s)

      1. FrankAlphaXII

        Sarcasm doesn't work well on El Reg's corner of the web. Nearly all of my many downvotes are when Im being sarcastic but don't use the Joke Alert icon.

    6. Anonymous Coward
      Anonymous Coward

      Java?

      Python is what you need.

      1. Andus McCoatover
        Windows

        Python is what you need.

        Nope.

        For the poor sod who downvoted the irony above, I'd suggest a year in Guatanmo, being forced to watch Monty Python at high volume...

    7. Asgard
      Coat

      Arresting all the C++ programmers won't work.

      I know you are joking, but it still won't work. The reason is if there is no low level allowed, then Java would become the new low level. Which means future languages would then be written in Java and hackers would then treat Java as if it was the new low level language to write hacks in. :)

      At which point we round up all the Java coders and shoot them, leaving only the future language coders, which would then become the new lowest level. Then people will write even more futuristic languages with that new low level and hackers will treat that as the language to attack...

      ... At which point ... I'm sensing my brain is reaching a stack overflow in this discussion. :)

      I'm reminded of the phrase, "Its turtles all the way down". The more layers we add, the more layers the hackers have to choose from to attack. :)

  2. Destroy All Monsters Silver badge
    Paris Hilton

    "create a hidden partition at the end of the infected machine's hard disk and set it to active. This ensures that malicious code stashed in it is executed before the Windows operating system is run."

    Really!

    Who runs the code how? The Windows bootloader?

    1. david 12 Silver badge

      Who runs the code how? The Windows bootloader?

      The TDL4 virus is a bootloader. It runs the Windows bootloader: It is run by the ROM bootloader, which is run by the uP bootloader.

      The process, starting with the coded-in-silicon behaviour of the uP at power-up, has been compared to pulling your self up by your own hair, shoe-laces, or boot-straps

  3. Mage Silver badge

    nyelvmark: I hope that's a poor attempt at humour

    Hmmm

    http://www.gmer.net/

  4. Steve Knox
    FAIL

    <input name=title type=text value="" class="discussion" tabindex=5 maxlength=100 >

    "Newer versions create a hidden partition at the end of the infected machine's hard disk and set it to active."

    Meaning it would take AT LEAST 1990s-era BIOS technology to stop!

  5. Anonymous Coward
    Anonymous Coward

    Hidden partition ?

    This means booting from a live CD an performing an offline scanning should be the norm by now.

    1. Ken Hagan Gold badge

      Re: booting from a live CD

      Actually, building a PC that boots from a replaceable (unlike flashable BIOS) but read-only (unlike flashable BIOS) medium really *ought* to have been the norm for the last couple of decades. Instead, we've had moronic attempts to move the goalposts with OS vendors and chip manufacturers vying to introduce new levels of even more trusted hypervisors that only people with deep pockets can get their code signed for.

      A CD-ROM is a rather clunky way of doing it, but it works.

    2. Cpt Blue Bear

      @Hidden partition

      We already thought of that and it's been SOP for several years.

  6. Anonymous Coward
    Anonymous Coward

    Ha!

    Winblows - ever so secure!

    1. El Cid Campeador
      Stop

      Not so fast...

      I'm as big a fan of Linux as anyone out there... and I refuse to have a Windows machine, BUT... this kind of rootkit would work against a Linux machine too, and a good Trojan can still trick the user into installing it.

      In this case we should be working together to detect these kind of shenanigan instead of flaming each other.

      1. alain williams Silver badge

        Would work on Linux ?

        "a good Trojan can still trick the user into installing it."

        Only if the user was logged in as root while reading email/whatever.

        Just because something is ''possible'' does not say much about how likely it is to happen, for that you need to look at the other links in the chain that make it possible. We are fortunate that these links are much tougher on Unix based systems than they ever have been on MS Windows.

        1. Nigel 11
          Alert

          LInux kernel bugs

          Don't be too complacent. Kernel vulnerabilities have in the past existed, that would allow a vulnerable kernel to be root-kitted without a human doing anything ill-advised as root. Other such vulnerabilities almost certainly exist at present. A smart black-hat will scour the code for such, and when he finds one, keep quiet about it while targetting it for root-kit delivery.

          Trying to deal with possible infection from inside a compromised operating system -- any system -- is a bad idea. Offline scanning, booted off trusted read-only media, is the way to go. There is just one problem with this ... absent write-protect switches on hard drives, the offline scanner itself becomes a perfect vector for malware distribution, if it can be compromised.

          We can't win. Two-plus billion years of evolution has been playing the same games, and the parasites always come out on top.

          One of Linux's strengths is actually the same as the one that higher organisms have come up with - diversity, rather than a monoculture of identical clones. The logical next step will be building kernels and root-mode code from source through some sort of compile-time randomizer, so that every installation has a different memory footprint, despite performing identical high-level functions.

          1. Anonymous Coward
            Thumb Up

            Some modern OSes have ASLR

            Or Address Space Layout Randomisation, which is very similar to the idea you describe.

            Both Windows and Mac OS have this feature.

          2. Charles 9

            On top of that...

            ...how do you know the write-protected media you're using wasn't compromised BEFORE it was write-protected? There have been a few instances of trojaned PRESSED CDs (which are by design read-only) because an unknown trojan somehow managed to get into the gold disc production process and passed everything on into the press.

        2. Swarthy
          Devil

          The key is in the name

          It's a *root* kit, it is the embodiment of privilege escalation. Windows does not have a root user, it has admins. If it were a strictly Windows phenomenon, it would be called an Adminkit.

          I hate to say it (really, I do), but rootkits started in UNIX, and I doubt that Linux has completely patched all avenues of privilege escalation. Besides, a lot of this sort of thing is Trojans, installed by users; and as my father taught me: "You can't fix stupid."

  7. Charles 9

    Then how does Java talk to the CPU?

    At SOME point, you're going to need machine language, as that's the ONLY thing the CPU really understands. You eventually have a "Quis custodiet ipsos custodes?" situation in which you have to trust the coder of your Java interpreter/compiler.

    1. Anonymous Coward
      Anonymous Coward

      How does Java talk to the CPU?

      Bloody slowly, that's how. Slow, crappy, ugly language. Die die die!

  8. John Smith 19 Gold badge
    Unhappy

    Let me suggest a possibly radical ideal.

    Building secure software systems is a *process* not an event.

    Anyone who starts by calling a team meeting and telling them "We're going to right *secure* software from now on" is clearly a PHB who has f***all idea of how to create lasting change.

    Does anyone think changing how a software development team does its work is going to be any *easier* than how (say) the NHS does its job?

    I'd suggest it's not the lack of information on how to do this that is a problem.

    It's *wanting* to do it in the first place that is and the skills to make the changes necessary for it to be applied.

    1. Tom 13

      You know John,

      that just CRAZY talk!

  9. Anonymous Coward
    Anonymous Coward

    I copped for alureon

    and it was a bastard to remove using "advanced techie" skills (reg edit, ms config, event viewer, startup cpl etc etc).

    I believe it was kaspersky whom had a standalone removal tool...

    I ran this in the end as it became a time vs effort required kind of situation.

  10. Gordon Fecyk
    Go

    But can non-admin install it?

    "The solution is obvious. We must make low-level code illegal immediately"

    Already done: it's called "Non-Administrator User Accounts."

    OK, so it isn't making low-level code illegal. But I've yet to see evidence that this thing can install without having administrative privilege. And the same tried and tested rules apply for keeping that privilege safely locked away.

  11. Joe Burmeister
    Flame

    a justification for secure boot?

    Of course the problem is the attack getting root in the first place. Secure boot just closes one way of keeping it but introduces new problems. Couldn't the root kit removal kit check how the machine is to boot? Couldn't the OS be hardened better to not be compromised in the first place? Secure boot is like saying the OS cann't be secured and root kit removers cann't do thier job either. It is waving the white flag on software and retreating to hardware while not fixing the real problem. Unless it's not about security but locking hardware.......

  12. Joe User
    Terminator

    Line of attack

    This should remove the PITA rootkit:

    1. Run Kaspersky's TDSSKiller to removed the infected files from your PC.

    2. Boot the PC using a GParted Live CD, delete the rootkit's partition, and set the Windows partition to active.

    3. Let the PC boot normally.

    If Windows complains about booting, break out your installation disc. Boot from it and then perform the steps for your OS:

    Win XP

    - Select the "Recovery console".

    - Run "fixmbr" (fix master boot record).

    - Run "fixboot".

    - Reboot.

    Win 7

    - Select "Repair your computer".

    - Select "Command prompt".

    - Run "bootrec /fixmbr".

    - Run "bootrec /fixboot".

    - Reboot.

    1. Martin Ryan

      Wow, impressive, but I'll leave you to try to explain that to each of the 4.5m infected PCs' owners.

      1. ratfox
        Trollface

        This should remove the PITA rootkit:

        Step 1: browse to ubuntu.com...

        1. Anonymous Coward
          Anonymous Coward

          Even Linux won't help you

          if the media is already compromised. Although installing after you have clean media might.

    2. MikeLA

      Which partition?

      How would you know which partition to delete if you are not familiar with partitions?

  13. dontwantahandle

    Or more simply, use AVG and run the rootkit scan. Worked for me when TDSSKiller refused to execute. I expect other AV programmes do the same. Just a shame they don't pick it up when it gets installed, but wait until you scan. I had a pc that wouldn't boot from a Windows cd because it had a virus. AVG fixed it.

  14. JeffyPooh
    Pint

    Hmmm... an idea:

    How about somebody write some software to go inside your *Router* to monitor what's going in and out?

    In fact, adding some "security" software to routers would be a wonderful USP for the router vendors.

    1. James O'Brien
      Facepalm

      Umm it exists already

      Sonicwall has had this sort of thing for years. The biggest problem I see with this solution is the god awful cost involved in keeping it up to date. It can be 10 times more expensive than normal AV "solutions" (I use solutions loosely as they dont seem to be upto the task very much anymore).

      On a side note (and yes I know this is the wrong place but meh)

      "Your email address is never published"

      Never published in the comments but it sure is to other users via e-mail......zing

      1. Charles 9

        Plus there's Encryption.

        Routers (in fact, any form of packet sniffer) can do sod all against encrypted connections since (by design) only the endpoints know what is inside.

  15. Babai
    Holmes

    java CAN call native api

    That's part of JNI spec ... U can call any c++ dll stub via JNI.

This topic is closed for new posts.

Other stories you might like