Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Botnet IT

Massive Botnet "Indestructible," Say Researchers 583

Posted by samzenpus from the +1-or-better-update-to-hit dept.
CWmike writes "A new and improved botnet that has infected more than four million PCs is 'practically indestructible,' security researchers say. TDL-4, the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is 'the most sophisticated threat today,' said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis on Monday. Others agree. 'I wouldn't say it's perfectly indestructible, but it is pretty much indestructible,' Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, told Computerworld on Wednesday. 'It does a very good job of maintaining itself.' Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code. But that's not TDL-4's secret weapon. What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers. 'The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet,' said Roel Schouwenberg, senior malware researcher at Kaspersky. 'The TDL guys are doing their utmost not to become the next gang to lose their botnet.'"
This discussion has been archived. No new comments can be posted.

Massive Botnet "Indestructible," Say Researchers More

Massive Botnet "Indestructible," Say Researchers

Comments Filter:

  • Modified MBR Detection? (Score:2, Interesting)

    by Anonymous Coward on Wednesday June 29, 2011 @08:28PM (#36617700)

    Man, can't they detect a modified MBR nowadays? I even had mainboards which detected a modified MBR upon boot. So where's the problem?

  • Re:Take 'em offline (Score:5, Interesting)

    by the_bard17 ( 626642 ) <theluckyone17@gmail.com> on Wednesday June 29, 2011 @08:43PM (#36617826)

    Just throw a clause in the Terms and Conditions that states the subscriber is required to maintain an outgoing connection free of malware. Otherwise, the ISP gets to redirect all traffic to a "Hey, you're infected!" page for the duration.

    The first time the subscriber calls in to say it's rectified, remove the redirection and monitor it. The second time, be nice and request some proof. The third time, require a faxed copy of a receipt/invoice/statement from a third party verifying that all the connected in the residence are clean and all wireless networks are encrypted securely. Rinse, lather, repeat.

    It seems the T&C is being used as a catch all for all the other shady business telecom's are pushing down our tubes... may as well as use it for a bit of good, too.

  • Nothing new (Score:2, Interesting)

    by Billly Gates ( 198444 ) on Wednesday June 29, 2011 @08:55PM (#36617906) Journal

    In 2004 my cousin had malware that hid in the partition table and even a fresh format and windows reinstall could get rid of it. Only a good dos fdisk that deleted the table with a format and reinstallation. Today evil malware can hide in both the shadow volumes of restore points to reinstall themselves and avoid detection and also system recovery partitions so a fresh os reinstallation will reinstall the malware. Fun times

  • Not impossible (Score:4, Interesting)

    by Anonymous Coward on Wednesday June 29, 2011 @09:16PM (#36618034)

    I work at a computer repair shop.

    We frequently encounter computers that are kitted up with boot and rootkits, TDL-4 included. Kaspersky's TDSS killer does a pretty good job of removing this stuff, and it's pretty easy to tell if the MBR as been modified. Just fire up a copy of GMER and you'll be able to tell pretty quickly. I see a lot of people posting stuff about having to wipe drives and start over from scratch. That is simply not necessary. The only reason TDL-4 is such a pain in the ass is because it is decentralized, only communicates with a handful of its infected counterparts at a time and modifies the MBR. Even then, it's not impossible to detect or even remove. Just gotta use the right tools...

  • Re:Invisible? (Score:4, Interesting)

    by Spikeles ( 972972 ) on Wednesday June 29, 2011 @09:21PM (#36618064)
    TDSSKiller [kaspersky.com]

  • Curious Yellow [blanu.net] was bound to happen sooner or later. I was wondering what was taking botnet authors so long, and why they were relying on a centralized system like DNS for coordinating their bots.

  • Re:Command and Control (Score:5, Interesting)

    by pclminion ( 145572 ) on Wednesday June 29, 2011 @09:28PM (#36618112)
    You can sign the patches and make it impossible to inject update packets straight into the botnet. A more plausible line of attack would be to find a traditional security vulnerability and exploit it.

  • P2P is also its weakness (Score:5, Interesting)

    by Dachannien ( 617929 ) on Wednesday June 29, 2011 @09:35PM (#36618152)

    The fact that the software maintains itself peer-to-peer is also its greatest weakness, because it allows any infected node to identify other infected nodes. So, you set up a number of honeypots and use those to identify infected machines. You then strongarm those machines' ISPs to disconnect their customers until they get their shit together.

    Yes, the whole "strongarming the ISPs" thing is a flaw in the strategy since it hasn't really been successful to date, but I'm sure Microsoft can come up with a legal solution to that little hitch.

  • Try TDSS killer! (Score:4, Interesting)

    by Falconhell ( 1289630 ) on Wednesday June 29, 2011 @09:50PM (#36618262) Journal

    I had a bit of trouble removing it with TDSS kiler a few weeks ago, but got there in about half an hour.

    If it wont run you will need the file association reset tool.

    http://support.kaspersky.com/downloads/utils/tdsskiller.zip [kaspersky.com]

  • Re:general purpose computing is dead (Score:4, Interesting)

    by drooling-dog ( 189103 ) on Wednesday June 29, 2011 @10:53PM (#36618604)

    If magically tomorrow every single Windows box was Linux instead, socially-engineered malware would appear the next day.

    One thing that protects Linux, and that has little to do with the OS itself, is the FOSS ecosystem. Pretty much everything you could want is available for free from trusted repositories, and so there is little or no incentive to download and install warez or other pirated software that may have been tampered with. You would still be right, though, if being the dominant "OS for the masses" implies that a similar proprietary closed-source ecosystem would quickly arise around it.

  • Re:Invisible? (Score:5, Interesting)

    by cgenman ( 325138 ) on Thursday June 30, 2011 @02:21AM (#36619684) Homepage

    Unfortunately, most people who are running a modern version of Windows are doing so because it came on the computer they bought it on. I say unfortunately, because I have yet to see a computer ship with anything but those damned useless "restore" DVD's. It can't fix your system, or perform routine maintenance tasks, or anything useful. And if you've make any alterations to your hardware setup, you can forget it.

    Shipping without an install disk for a paid for pre-installed OS that bundles lots of routine OS functionality on its install disk should be illegal. Or, rather, it should be legal to pass around copies of the install disk to everyone who has the OS.

Slashdot Top Deals

An Ada exception is when a routine gets in trouble and says 'Beam me up, Scotty'.

Close