Massive Botnet "Indestructible," Say Researchers 583
CWmike writes "A new and improved botnet that has infected more than four million PCs is 'practically indestructible,' security researchers say. TDL-4, the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is 'the most sophisticated threat today,' said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis on Monday. Others agree. 'I wouldn't say it's perfectly indestructible, but it is pretty much indestructible,' Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, told Computerworld on Wednesday. 'It does a very good job of maintaining itself.' Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code. But that's not TDL-4's secret weapon. What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers. 'The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet,' said Roel Schouwenberg, senior malware researcher at Kaspersky. 'The TDL guys are doing their utmost not to become the next gang to lose their botnet.'"
Re:Take 'em offline (Score:5, Informative)
Netcat, and watching for traffic from a system that you know for a fact isn't sending that kind of traffic.
Without your ISP installing some kind of spyware on your computer to determine if you have torrent or other p2p software installed, they have no way of knowing whether that encrypted p2p traffic coming from your system is a virus, or you trying to download a movie. And as for them determining how many systems are infected? That same netcat... once they know the traffic is there, it is fairly easy to find the source of the traffic, and then to analyse said source. Once they find a way into the network, it's fairly trivial to estimate how many clients are connected to it. Taking over the network is another animal entirely, but figuring out how many are connected to it is relatively easy.
Re:Invisible? (Score:5, Informative)
http://download.bitdefender.com/rescue_cd/ [bitdefender.com]
http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk10/ [kaspersky-labs.com]
Both of these update from the internet after booting up.
Re:Invisible? (Score:5, Informative)
The safest way is nuke it from orbit - boot from your Windows install disk, do a "diskpart clean" to nuke the MBR, and reinstall.
The easiest way is to just trust that your favorite brand of virus scanner will eventually take care of it.
Expert mode is make an image of the machine using ImageX, mount it on another PC, clean the virus from the image, and reapply it to the infected computer (after nuking the MBR.)
For lesser threats, MalwareBytes will take care of most anything, although I usually run ComboFix and HijackThis first.
Protip: If you're running a modern version of Windows, you don't need a special boot CD. Vista/7 disks boot to a full WinPE environment which will give you a command prompt (press Shift+F10 or wade through the menu), let you repartition your disk (diskpart), write a new boot sector (bootsect), and mount network shares (net use x: \\computer\share). Any install disk can also install and activate any other version of Windows (you can borrow a friend's Home Premium disk to reinstall Ultimate or whatever).
If you're still rocking XP, the install disk is next to worthless, so go grab a Live CD if you have to do anything interesting.
Re:Take 'em offline (Score:5, Informative)
I'm with you on the use of netcat etc.
I assume they build honey pot systems, setup with shit security, programmed to randomly surf the web and click on everything that it finds... and then take it offline into a lab and see what there is to see.
it's fairly trivial to estimate how many clients are connected to it.
That gives you the LAN but that doesn't tell you how many infected systems there are worldwide.
To shut it down by the way, once the virus is reverse engineered enough, one can deploy honeypot systems designed to impersonate legit infected machines, and wait for C&C commands to get passed to it via peers.
Due to it being p2p that won't get you the C&C servers... but it does give you lists of peers that represent infected systems, many of which probably are on the ISP running the honeypot that the ISP could take offline... a few coop agreements, and ISPs could swap lists of infected systems from eachothers networks easily enough as well.
Re:Lawsuit (Score:4, Informative)
Time for a car analogy.
If someone hot-wires my car, and then rams it into a police station, then I'm not liable. The car manufacturer is not liable. The police are not liable. As a matter of fact, its not even my fault if I left the doors unlocked and the engine running. The person responsible is the bastard that stole it and did the damage.
These viruses and botnets are not spontaneous. They are not random acts of nature. They happen because of bad guys doing bad things. We should all take reasonable precautions, but we shouldn't be held liable for their actions.
Detection and removal (Score:5, Informative)
When they say indestructible, they mean it's more difficult to steal control of the botnet, like they have done with several other hostile networked threats, not that it can't be detected and removed.
To detect it, run the latest version of GMER.
http://www.gmer.net/
To remove it, you need to run a series of three scanners in this order:
TDSSkiller
http://support.kaspersky.com/viruses/solutions?qid=208280684
Combofix
http://www.bleepingcomputer.com/download/anti-virus/combofix
and Malwarebytes' Antimalware
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;1
Note that TDL4 is often a blended threat, and has other secondary infections that can cause issues. One of the most common does search redirection that can make it hard to get to the tools to remove it. Most versions of that you can work around by clicking on the Google cache of the site with the tool instead of the link itself.
As for who to blame, most of the infections installed on people's machines were abusing exploits in Adobe Flash. Keeping up to date helps, but I started installing Flashblock on my client's systems because I was convinced there were unknown Flash exploits.
-Z
Re:Invisible? (Score:4, Informative)
That will make the MBR clean on the next boot, but it will reinfect the MBR once Windows loads as well.
Re:Take 'em offline (Score:4, Informative)
So what's the difference between this botnet data, an SSL connection to a bank, or an encrypted email/file?
The answer is you can't tell, and neither can the ISP.
Not strictly true, actually. IIRC it's already been shown that while SSL hides the content of the connection, it does a lousy job at hiding the protocol/likely payload; you can generally deduce this with remarkable accuracy by looking at the patterns the traffic follows.
For instance: Voice will have a more-or-less constant stream of small packets going in both directions, an interactive HTTP session will have bursts of data with packets of varying size in both directions, the total amount downloaded in each burst being up to a few hundred K at a time, a file being downloaded over HTTP will have a number of large packets in one direction and a constant stream of much smaller packets going in the other direction. It's a bit more sophisticated than this but AIUI that's the general gist.
It isn't 100% accurate, but for most practical purposes it's close enough.