Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Botnet IT

Massive Botnet "Indestructible," Say Researchers 583

CWmike writes "A new and improved botnet that has infected more than four million PCs is 'practically indestructible,' security researchers say. TDL-4, the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is 'the most sophisticated threat today,' said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis on Monday. Others agree. 'I wouldn't say it's perfectly indestructible, but it is pretty much indestructible,' Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, told Computerworld on Wednesday. 'It does a very good job of maintaining itself.' Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code. But that's not TDL-4's secret weapon. What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers. 'The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet,' said Roel Schouwenberg, senior malware researcher at Kaspersky. 'The TDL guys are doing their utmost not to become the next gang to lose their botnet.'"
This discussion has been archived. No new comments can be posted.

Massive Botnet "Indestructible," Say Researchers

Comments Filter:
  • Take 'em offline (Score:3, Insightful)

    by jnpcl ( 1929302 ) on Wednesday June 29, 2011 @07:21PM (#36617644)

    Yeah, it'll piss off every Grandma and Grandpa with an infected computer, but really.. the best way to deal with these massive botnets is to have the ISPs disable those accounts and contact the owners.

    • by Shikaku ( 1129753 ) on Wednesday June 29, 2011 @07:26PM (#36617688)

      From TFS:

      What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.

      So what's the difference between this botnet data, an SSL connection to a bank, or an encrypted email/file?

      The answer is you can't tell, and neither can the ISP.

      "What about the volume?" Encrypted Bittorrent.

      • by vux984 ( 928602 )

        So what's the difference between this botnet data, an SSL connection to a bank, or an encrypted email/file?

        Well there must be some way to sniff them out or the researchers wouldn't know it existed or have any idea that millions of machines were infected....

        • Re:Take 'em offline (Score:5, Informative)

          by realityimpaired ( 1668397 ) on Wednesday June 29, 2011 @07:41PM (#36617802)

          Netcat, and watching for traffic from a system that you know for a fact isn't sending that kind of traffic.

          Without your ISP installing some kind of spyware on your computer to determine if you have torrent or other p2p software installed, they have no way of knowing whether that encrypted p2p traffic coming from your system is a virus, or you trying to download a movie. And as for them determining how many systems are infected? That same netcat... once they know the traffic is there, it is fairly easy to find the source of the traffic, and then to analyse said source. Once they find a way into the network, it's fairly trivial to estimate how many clients are connected to it. Taking over the network is another animal entirely, but figuring out how many are connected to it is relatively easy.

          • Re:Take 'em offline (Score:5, Informative)

            by vux984 ( 928602 ) on Wednesday June 29, 2011 @08:01PM (#36617936)

            I'm with you on the use of netcat etc.

            I assume they build honey pot systems, setup with shit security, programmed to randomly surf the web and click on everything that it finds... and then take it offline into a lab and see what there is to see.

            it's fairly trivial to estimate how many clients are connected to it.

            That gives you the LAN but that doesn't tell you how many infected systems there are worldwide.

            To shut it down by the way, once the virus is reverse engineered enough, one can deploy honeypot systems designed to impersonate legit infected machines, and wait for C&C commands to get passed to it via peers.

            Due to it being p2p that won't get you the C&C servers... but it does give you lists of peers that represent infected systems, many of which probably are on the ISP running the honeypot that the ISP could take offline... a few coop agreements, and ISPs could swap lists of infected systems from eachothers networks easily enough as well.

            • Yeah, I'll bet your honeypot system would be squeaky clean, plus just this program. Digging this out from all the other crap on the machine would take months.

              • by vux984 ( 928602 )

                Nope it'd be full of crap to be sure.

                But how else do researchers "find" botnets, except by looking at infected pcs... ?

                • Sniffing traffic pairs to CnC destinations. Mirror a switch port, then sniff the traffic to nonsense destinations. Watch DNS logs for odd hit builds. Sift some more.

                  Look for local destination peers that don't make sense. Then you've got the local net infections.

        • Unless it's a massive bitcoin mining operation or some actual spyware of the sort which steals credit card data, there's not a lot I can think of that they would want those machines for which would be able to work with entirely encrypted communication. In particular, if they're spam zombies, the flood of email should be a clue.

          Then again, there is the problem of knowing that a given attack was a DDoS, and knowing whether a given machine which participated in that attack was a botnet zombie or a legitimate u

      • by spydum ( 828400 )

        DNS traffic from the client may still be used to identify infected hosts -- but it is certainly less simple than it used to be.

      • Well, spewing spam should be a strong clue.

        Dynamic IPs shouldn't be allowed to send outbound email directly anyhow.

      • by gatkinso ( 15975 )

        It is possible to fingerprint encrypted traffic, even if you can't decrypt it.

        But you asked about differences: destination, port, rate, traffic volume. To name a few.

      • Re:Take 'em offline (Score:4, Informative)

        by jimicus ( 737525 ) on Thursday June 30, 2011 @12:14AM (#36619392)

        So what's the difference between this botnet data, an SSL connection to a bank, or an encrypted email/file?

        The answer is you can't tell, and neither can the ISP.

        Not strictly true, actually. IIRC it's already been shown that while SSL hides the content of the connection, it does a lousy job at hiding the protocol/likely payload; you can generally deduce this with remarkable accuracy by looking at the patterns the traffic follows.

        For instance: Voice will have a more-or-less constant stream of small packets going in both directions, an interactive HTTP session will have bursts of data with packets of varying size in both directions, the total amount downloaded in each burst being up to a few hundred K at a time, a file being downloaded over HTTP will have a number of large packets in one direction and a constant stream of much smaller packets going in the other direction. It's a bit more sophisticated than this but AIUI that's the general gist.

        It isn't 100% accurate, but for most practical purposes it's close enough.

      • So what's the difference between this botnet data, an SSL connection to a bank, or an encrypted email/file? The answer is you can't tell, and neither can the ISP.

        Simple solution... don't allow encrypted traffic. If you're not doing anything wrong, you don't have anything to hide.

        And no, I'm not being serious.

    • Re: (Score:3, Insightful)

      by Joe U ( 443617 )

      The only long term solution is to infect the infected with something that low level formats their HDD.

      That will stop the problem.

      It's amazingly illegal though, so it's not happening anytime soon.

      • by interkin3tic ( 1469267 ) on Wednesday June 29, 2011 @08:23PM (#36618074)

        The only long term solution is to infect the infected with something that low level formats their HDD.

        That's not true, there are plenty of long term solutions. We got -plenty- of nukes.

      • The only long term solution is to infect the infected with something that low level formats their HDD.

        That will stop the problem.

        It's amazingly illegal though, so it's not happening anytime soon.

        It's also illegal to infect a PC with a worm and use it to run a spam botnet, but that hasn't stopped anyone. Maybe some vigilante will finally get tired of it and do something about it.

    • Yeah, it'll piss off every Grandma and Grandpa with an infected computer, but really.. the best way to deal with these massive botnets is to have the ISPs disable those accounts and contact the owners.

      Asking ISPs to stand in the firing line of legal liability? Uh...yeah. You'll stand a better chance in hell with a snowcone machine.

      And that answer isn't very easy when you're talking AT&T or Verizon cutting off entire hosted corporations.

      • by garcia ( 6573 )

        geek, ATTBI (back in the 2001/2002 days) took infected computers off their network by disabling their cfg files. There's no legal liability there.

      • Re:Take 'em offline (Score:5, Interesting)

        by the_bard17 ( 626642 ) <theluckyone17@gmail.com> on Wednesday June 29, 2011 @07:43PM (#36617826)

        Just throw a clause in the Terms and Conditions that states the subscriber is required to maintain an outgoing connection free of malware. Otherwise, the ISP gets to redirect all traffic to a "Hey, you're infected!" page for the duration.

        The first time the subscriber calls in to say it's rectified, remove the redirection and monitor it. The second time, be nice and request some proof. The third time, require a faxed copy of a receipt/invoice/statement from a third party verifying that all the connected in the residence are clean and all wireless networks are encrypted securely. Rinse, lather, repeat.

        It seems the T&C is being used as a catch all for all the other shady business telecom's are pushing down our tubes... may as well as use it for a bit of good, too.

        • by geekmux ( 1040042 ) on Wednesday June 29, 2011 @08:05PM (#36617962)

          Just throw a clause in the Terms and Conditions that states the subscriber is required to maintain an outgoing connection free of malware. Otherwise, the ISP gets to redirect all traffic to a "Hey, you're infected!" page for the duration.

          And as this particular one operates, good luck discerning a valid encrypted connection from a invalid/infected one.

          The first time the subscriber calls in to say it's rectified, remove the redirection and monitor it. The second time, be nice and request some proof. The third time, require a faxed copy of a receipt/invoice/statement from a third party verifying that all the connected in the residence are clean and all wireless networks are encrypted securely. Rinse, lather, repeat.

          Wow, faxed copy? What's next, a notarized statement and sworn testimony? After that, it'll be a race to see which falls faster; your customer base or your stock price.

          • by AvitarX ( 172628 )

            I bet getting rid of that type of customer saves money in support, not all customers are profitable, and the calls about my google hours to a different site probably cost money.

        • Re: (Score:2, Insightful)

          by farseeker ( 2134818 )

          The third time, require a faxed copy of a receipt/invoice/statement from a third party

          Yeah, because I still live in 1998 and work at a law firm, and thus have access to a fax machine

        • Sorry, I am NOT going to attempt to eradicate a virus at someone's house if they have no internet. Makes error code lookups, update managing, etc nearly impossible. Sure you could download everything at your own house, then bring that with you, especially since after a re-install you need to run windows-update about 15 times!

          I do believe that infected computers need to be dropped off the net, but it is VERY difficult to fix the problem without the internet to begin with.
      • Asking ISPs to stand in the firing line of legal liability?

        Not a problem.. The government can grant them immunity, like it did for the unwarranted wiretaps..

  • Invisible? (Score:5, Insightful)

    by blair1q ( 305137 ) on Wednesday June 29, 2011 @07:28PM (#36617698) Journal

    Putting the thing in the MBR just means you can't intercept it during boot.

    It doesn't for a second mean it's invisible.

    • Re:Invisible? (Score:4, Insightful)

      by vux984 ( 928602 ) on Wednesday June 29, 2011 @07:36PM (#36617776)

      It can become pretty well invisible to the infected host system though.

      A bootable CD or flash drive should take care of things, but that's a bit of a hassle, since a bootable disc needs to be up to date to detect the latest threats... or perhaps the way to go on this is to checksum the existing known good mbr and then validate it from time to time offline against the checksum.

      Speaking of which... what are people recommending for actually dealing with this sort of stuff...?

      • Speaking of which... what are people recommending for actually dealing with this sort of stuff...?

        Isn't it obvious? The next version of Kaspersky of course!

      • Re:Invisible? (Score:5, Informative)

        by schwit1 ( 797399 ) on Wednesday June 29, 2011 @07:43PM (#36617822)

        http://download.bitdefender.com/rescue_cd/ [bitdefender.com]
        http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk10/ [kaspersky-labs.com]

        Both of these update from the internet after booting up.

      • Re:Invisible? (Score:5, Informative)

        by Z34107 ( 925136 ) on Wednesday June 29, 2011 @07:58PM (#36617918)

        The safest way is nuke it from orbit - boot from your Windows install disk, do a "diskpart clean" to nuke the MBR, and reinstall.

        The easiest way is to just trust that your favorite brand of virus scanner will eventually take care of it.

        Expert mode is make an image of the machine using ImageX, mount it on another PC, clean the virus from the image, and reapply it to the infected computer (after nuking the MBR.)

        For lesser threats, MalwareBytes will take care of most anything, although I usually run ComboFix and HijackThis first.

        Protip: If you're running a modern version of Windows, you don't need a special boot CD. Vista/7 disks boot to a full WinPE environment which will give you a command prompt (press Shift+F10 or wade through the menu), let you repartition your disk (diskpart), write a new boot sector (bootsect), and mount network shares (net use x: \\computer\share). Any install disk can also install and activate any other version of Windows (you can borrow a friend's Home Premium disk to reinstall Ultimate or whatever).

        If you're still rocking XP, the install disk is next to worthless, so go grab a Live CD if you have to do anything interesting.

        • Re:Invisible? (Score:5, Interesting)

          by cgenman ( 325138 ) on Thursday June 30, 2011 @01:21AM (#36619684) Homepage

          Unfortunately, most people who are running a modern version of Windows are doing so because it came on the computer they bought it on. I say unfortunately, because I have yet to see a computer ship with anything but those damned useless "restore" DVD's. It can't fix your system, or perform routine maintenance tasks, or anything useful. And if you've make any alterations to your hardware setup, you can forget it.

          Shipping without an install disk for a paid for pre-installed OS that bundles lots of routine OS functionality on its install disk should be illegal. Or, rather, it should be legal to pass around copies of the install disk to everyone who has the OS.

      • Re:Invisible? (Score:4, Interesting)

        by Spikeles ( 972972 ) on Wednesday June 29, 2011 @08:21PM (#36618064)
        TDSSKiller [kaspersky.com]
        • Thank you. I read the whole article wondering, "how can these over-sensationalistic idiot writers spend half the article talking about TDL4 and interviewing Kaspersky employees, and yet not bother to mention the very excellent, and very free, TDSSKILLER tool from Kaspersky that kills TDL4 dead?" If I was one of the Kaspersky guys interviewed, I'd be pissed.

    • fdisk /fixmbr should fix it, no?
  • by Anonymous Coward

    Man, can't they detect a modified MBR nowadays? I even had mainboards which detected a modified MBR upon boot. So where's the problem?

    • As long as there isn't a recovery partition (or even if there is, most of the time), boot from an OS install disk, go to repair mode, then type 'fixboot' and 'fixmbr'. you're now have a stock MBR.

    • If you load before the OS, then you can load as the host, and run the 'real' OS as a guest operating system. You can then intercept all calls to the hardware. (kind of like how VMware can sit under windows, and tell it that it has an LSI SCSI drive, when it doesn't.) Instead of reporting the real MBR, you can tell the guest operating system that the MBR is exactly what it expects.

      • by mlts ( 1038732 ) *

        This is one reason why a TPM chip is a useful tool. It is present, but disabled in most servers.

        Enable BitLocker, make sure to save the recovery key somewhere safe (preferably printing it out as well), have it use the MBR, and call it done.

        If malware nails the MBR after BitLocker gets turned on, the machine will not boot. One can use Windows PE, mount the system volume with the recovery key, and squash the malicious software that way.

      • by lennier ( 44736 )

        If you load before the OS, then you can load as the host, and run the 'real' OS as a guest operating system. You can then intercept all calls to the hardware. (kind of like how VMware can sit under windows, and tell it that it has an LSI SCSI drive, when it doesn't.) Instead of reporting the real MBR, you can tell the guest operating system that the MBR is exactly what it expects.

        What if you boot off the CD-ROM created by your favourite virus scanner which bypasses Windows and the hard disk and the MBR entirely?

        Kids these days do know that nothing on the hard disk has ever been trustworthy once you have the slightest suspicious of any kind of malware, and that you always boot right off trusted read-only media as soon as you even think of running an remedial anti-malware tool, right? and that this is not some new 2011 thing but was always the case, because MBR infectors were the firs

  • by CokeBear ( 16811 ) on Wednesday June 29, 2011 @07:30PM (#36617716) Journal

    Sounds like a challenge...

  • Just wait till it faces blue kriptonite
  • by DrJimbo ( 594231 ) on Wednesday June 29, 2011 @07:32PM (#36617748)

    Does it run Linux?

    • What if someone wrote malware that would run a VM from the boot sector, and then ran your existing OS from the VM? That way it wouldn't matter what OS you used, it could still access your system in the background.

      • What if someone wrote malware that would run a VM from the boot sector, and then ran your existing OS from the VM? That way it wouldn't matter what OS you used, it could still access your system in the background.

        It is still only feasible if the intruders can gain root access to the machine to install the botnet client and vm. I use OpenBSD and I can look at my logs and laugh at the number of failed intrusion attempts. A more secure OS certainly will prevent this.

        • by rtaylor ( 70602 )

          Ahh, but can you detect the successful intrusions?

          Most windows users can also look at their logs (assuming they keep such things) and view a large number of failed attempts. Of course, there are also a handful of successful ones.

          Yes, I know OpenBSD is very secure, particular for root access; user accounts not so much if the user will run anything they download. More than half of OpenBSDs security is that security conscious people select that operating system.

      • Re:Here's an idea (Score:4, Insightful)

        by jmorris42 ( 1458 ) * <jmorris@bea u . o rg> on Wednesday June 29, 2011 @09:01PM (#36618320)

        > What if someone wrote malware that would run a VM from the boot sector, and
        > then ran your existing OS from the VM?

        You would notice when your 3D performance began to suck ass. And when either all of your devices became virtual ones or all other performance (net, disk, etc) also began to suck ass. Unless you assume a genius who can create a VM environment that works perfectly transparently, has almost zero overhead and otherwise breaks major new ground in the science; and that they waste their time on a virus instead of kicking VMWare, RedHat, QEMU, etcs ass and seizing a multi-billion dollar red hot market segment.

        • by AmiMoJo ( 196126 )

          You would notice when your 3D performance began to suck ass.

          Wrong. A virus only needs to virtualise the CPU and memory, it can leave hardware directly accessible.

          A VM runs code natively on the CPU and remaps or intercepts access to memory. How far you take that is up to you. Some viruses install a driver that gets loaded early in the Windows boot sequence and uses the MMU to intercept access to memory locations that would allow it to be detected and removed by anti-virus software.

          This botnet virus does the same thing but sets up the MMU in the boot block rather than

    • or something like that, because linux machines are constantly running grub to rewrite the bootsector

      you could rewrite part of the kernel binary so that it would lie to grub i guess.

      or you could rewrite the grub binary to lie to the user.

      those two things are kind of non-trivial because linux is increidbly diverse.

      now that i think of it, perhaps Windows becoming 'diverse' is a way to prevent some of this junk from happening.

  • by Hatta ( 162192 ) on Wednesday June 29, 2011 @07:42PM (#36617816) Journal

    # When developing the kad.dll module for maintaining communication with the Kad network, code with a GPL license was used â" this means that the authors are in violation of a licensing agreement.

    Somehow I think that's the least of their concerns.

    • by gumbi west ( 610122 ) on Wednesday June 29, 2011 @08:37PM (#36618168) Journal

      Think of how they get Al Capone. Noting would make federal prosecutors more interested in the GPL than if they thought it was the best way to nail a bad guy.

      BTW, I like the idea of malware coming with a GPL license agreement and link to the source code.

      • by Ltap ( 1572175 )
        This is one option, but another is that people like the BSA will use it as an example of how "evil" free software is. When in doubt, public opinion tends to go the way of lobbyists.
  • Microsoft knows their OS better than anyone. For anyone getting MS updates, it seems it would be a simple matter for Microsoft to identify these machines, disable the rootkit, and alert the user.

    It would be a little bit of work for MS, but isn't this kind of service that you'd expect to get from a vendor that stands behind its products?

    • It doesn't involve DRM, so I doubt they'll worry about it for at least another 9 months.
    • For anyone getting MS updates, it seems it would be a simple matter for Microsoft to identify these machines

      But how ? The virus hides its first stage in the MBR and is launched *before* the OS. By the time windows has started the computer is *already* compromised, the virus is already running and can do all the trick it wants to hide it self from the running system, or to alter the software being run.

    • The last thing I'd want to see is any company, at all, automatically fucking with my MBR just because it doesn't think it matches what they consider a standard MBR. If they can't do that then they can't remove the rest of the infection and the botnet guys can just upload a new one to circumvent the patch.
    • by jamesh ( 87723 )

      Microsoft knows their OS better than anyone. For anyone getting MS updates, it seems it would be a simple matter for Microsoft to identify these machines, disable the rootkit, and alert the user.

      It would be a little bit of work for MS, but isn't this kind of service that you'd expect to get from a vendor that stands behind its products?

      The problem is that by definition, the malware authors always get to go first. As soon as Microsoft (or other antivirus vendor) figure out how to prevent the current malware from working, the malware guys will have reverse-engineered the update, developed a workaround, and deployed it before the windows/antivirus update has reached widespread deployment. They also have other advantages over Microsoft as they don't care as much if they crash a few computers along the way. Microsoft need to do heaps of regres

  • Nothing new (Score:2, Interesting)

    In 2004 my cousin had malware that hid in the partition table and even a fresh format and windows reinstall could get rid of it. Only a good dos fdisk that deleted the table with a format and reinstallation. Today evil malware can hide in both the shadow volumes of restore points to reinstall themselves and avoid detection and also system recovery partitions so a fresh os reinstallation will reinstall the malware. Fun times

  • Technically speaking, that's pretty awesome. I know they're bad guys, but some props to them. They're geek bad guys, and they've done some fine work here.
  • A new and improved botnet that has infected more than four million PCs is 'practically indestructible

    ... only until an 8 million PC botnet decides to "borg" the competition.

  • by Fractal Dice ( 696349 ) on Wednesday June 29, 2011 @08:05PM (#36617966) Journal
    Isn't command and control the antithesis of indestructability? Any software that can be patched can be destroyed.
  • Not impossible (Score:4, Interesting)

    by Anonymous Coward on Wednesday June 29, 2011 @08:16PM (#36618034)

    I work at a computer repair shop.

    We frequently encounter computers that are kitted up with boot and rootkits, TDL-4 included. Kaspersky's TDSS killer does a pretty good job of removing this stuff, and it's pretty easy to tell if the MBR as been modified. Just fire up a copy of GMER and you'll be able to tell pretty quickly. I see a lot of people posting stuff about having to wipe drives and start over from scratch. That is simply not necessary. The only reason TDL-4 is such a pain in the ass is because it is decentralized, only communicates with a handful of its infected counterparts at a time and modifies the MBR. Even then, it's not impossible to detect or even remove. Just gotta use the right tools...

    • Re:Not impossible (Score:5, Insightful)

      by fluffy99 ( 870997 ) on Wednesday June 29, 2011 @11:02PM (#36618954)

      I work at a computer repair shop.

      We frequently encounter computers that are kitted up with boot and rootkits, TDL-4 included. Kaspersky's TDSS killer does a pretty good job of removing this stuff, and it's pretty easy to tell if the MBR as been modified. Just fire up a copy of GMER and you'll be able to tell pretty quickly. I see a lot of people posting stuff about having to wipe drives and start over from scratch. That is simply not necessary. The only reason TDL-4 is such a pain in the ass is because it is decentralized, only communicates with a handful of its infected counterparts at a time and modifies the MBR. Even then, it's not impossible to detect or even remove. Just gotta use the right tools...

      Sure you got rid of the TDL-4, but what about all the other crap it downloaded? Seriously, if the computer got owned, you can't trust it anymore. You'd never be able to find all the little things like permissions changes and registry tweaks even if you got rid of the trojan's executables. Copy your data files off, scan them really well before introducing them elsewhere, and then reformat the disk. Nuking it from orbit is the only way to be sure.

    • by Timmmm ( 636430 )

      They meant the *botnet* is indestructible. You just killed one of four million nodes.

  • Curious Yellow [blanu.net] was bound to happen sooner or later. I was wondering what was taking botnet authors so long, and why they were relying on a centralized system like DNS for coordinating their bots.

  • by Dachannien ( 617929 ) on Wednesday June 29, 2011 @08:35PM (#36618152)

    The fact that the software maintains itself peer-to-peer is also its greatest weakness, because it allows any infected node to identify other infected nodes. So, you set up a number of honeypots and use those to identify infected machines. You then strongarm those machines' ISPs to disconnect their customers until they get their shit together.

    Yes, the whole "strongarming the ISPs" thing is a flaw in the strategy since it hasn't really been successful to date, but I'm sure Microsoft can come up with a legal solution to that little hitch.

    • by adri ( 173121 )

      Unless you're smart and you limit your P2P to the kinds of "cell" organisations used in shady groups.

      That way the only nodes you can get are the few you immediately know about.

      Add some logic to ensure that all your nodes are cross-jurisdiction and throw in some random time delays and random connections to nodes that aren't infected (ie, law enforcement honeypots) and .. well, you've just increased the paperwork level 100 fold.

      I'm glad I'm not a blackhat.

  • All that law enforcement needs to do is to purchase payload delivery on the botnet and include commands to delete Windows from each offending PC. Alternatively, they just need to place copyrighted material on each host and send in the MPAA and RIAA with infringement notices. That should get the job done.
  • by Zaphod-AVA ( 471116 ) on Wednesday June 29, 2011 @08:47PM (#36618244)

    When they say indestructible, they mean it's more difficult to steal control of the botnet, like they have done with several other hostile networked threats, not that it can't be detected and removed.

    To detect it, run the latest version of GMER.
    http://www.gmer.net/

    To remove it, you need to run a series of three scanners in this order:
    TDSSkiller
    http://support.kaspersky.com/viruses/solutions?qid=208280684

    Combofix
    http://www.bleepingcomputer.com/download/anti-virus/combofix

    and Malwarebytes' Antimalware
    http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;1

    Note that TDL4 is often a blended threat, and has other secondary infections that can cause issues. One of the most common does search redirection that can make it hard to get to the tools to remove it. Most versions of that you can work around by clicking on the Google cache of the site with the tool instead of the link itself.

    As for who to blame, most of the infections installed on people's machines were abusing exploits in Adobe Flash. Keeping up to date helps, but I started installing Flashblock on my client's systems because I was convinced there were unknown Flash exploits.

    -Z

  • Try TDSS killer! (Score:4, Interesting)

    by Falconhell ( 1289630 ) on Wednesday June 29, 2011 @08:50PM (#36618262) Journal

    I had a bit of trouble removing it with TDSS kiler a few weeks ago, but got there in about half an hour.

    If it wont run you will need the file association reset tool.

    http://support.kaspersky.com/downloads/utils/tdsskiller.zip [kaspersky.com]

  • Infected emails?
    Hacked website or ad provider serving out drive-by-downloads?
    Compromised IM accounts?
    All of the above?

    Personally I think someone needs to write an "Internet Security for Dummies" book that uses real world analogies to explain internet security concepts to clueless people. For example, it could compare leaving your front door unlocked to not having a firewall. Or it could show real-world things that most people would never do (give their credit card or bank details to a total stranger because

By working faithfully eight hours a day, you may eventually get to be boss and work twelve. -- Robert Frost

Working...