Massive Botnet "Indestructible," Say Researchers 583
CWmike writes "A new and improved botnet that has infected more than four million PCs is 'practically indestructible,' security researchers say. TDL-4, the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is 'the most sophisticated threat today,' said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis on Monday. Others agree. 'I wouldn't say it's perfectly indestructible, but it is pretty much indestructible,' Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, told Computerworld on Wednesday. 'It does a very good job of maintaining itself.' Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code. But that's not TDL-4's secret weapon. What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers. 'The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet,' said Roel Schouwenberg, senior malware researcher at Kaspersky. 'The TDL guys are doing their utmost not to become the next gang to lose their botnet.'"
Take 'em offline (Score:3, Insightful)
Yeah, it'll piss off every Grandma and Grandpa with an infected computer, but really.. the best way to deal with these massive botnets is to have the ISPs disable those accounts and contact the owners.
Re:Take 'em offline (Score:5, Insightful)
From TFS:
What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.
So what's the difference between this botnet data, an SSL connection to a bank, or an encrypted email/file?
The answer is you can't tell, and neither can the ISP.
"What about the volume?" Encrypted Bittorrent.
Re: (Score:2)
So what's the difference between this botnet data, an SSL connection to a bank, or an encrypted email/file?
Well there must be some way to sniff them out or the researchers wouldn't know it existed or have any idea that millions of machines were infected....
Re:Take 'em offline (Score:5, Informative)
Netcat, and watching for traffic from a system that you know for a fact isn't sending that kind of traffic.
Without your ISP installing some kind of spyware on your computer to determine if you have torrent or other p2p software installed, they have no way of knowing whether that encrypted p2p traffic coming from your system is a virus, or you trying to download a movie. And as for them determining how many systems are infected? That same netcat... once they know the traffic is there, it is fairly easy to find the source of the traffic, and then to analyse said source. Once they find a way into the network, it's fairly trivial to estimate how many clients are connected to it. Taking over the network is another animal entirely, but figuring out how many are connected to it is relatively easy.
Re:Take 'em offline (Score:5, Informative)
I'm with you on the use of netcat etc.
I assume they build honey pot systems, setup with shit security, programmed to randomly surf the web and click on everything that it finds... and then take it offline into a lab and see what there is to see.
it's fairly trivial to estimate how many clients are connected to it.
That gives you the LAN but that doesn't tell you how many infected systems there are worldwide.
To shut it down by the way, once the virus is reverse engineered enough, one can deploy honeypot systems designed to impersonate legit infected machines, and wait for C&C commands to get passed to it via peers.
Due to it being p2p that won't get you the C&C servers... but it does give you lists of peers that represent infected systems, many of which probably are on the ISP running the honeypot that the ISP could take offline... a few coop agreements, and ISPs could swap lists of infected systems from eachothers networks easily enough as well.
Re: (Score:2)
Yeah, I'll bet your honeypot system would be squeaky clean, plus just this program. Digging this out from all the other crap on the machine would take months.
Re: (Score:2)
Nope it'd be full of crap to be sure.
But how else do researchers "find" botnets, except by looking at infected pcs... ?
Re: (Score:2)
Sniffing traffic pairs to CnC destinations. Mirror a switch port, then sniff the traffic to nonsense destinations. Watch DNS logs for odd hit builds. Sift some more.
Look for local destination peers that don't make sense. Then you've got the local net infections.
They must be used for something... (Score:3)
Unless it's a massive bitcoin mining operation or some actual spyware of the sort which steals credit card data, there's not a lot I can think of that they would want those machines for which would be able to work with entirely encrypted communication. In particular, if they're spam zombies, the flood of email should be a clue.
Then again, there is the problem of knowing that a given attack was a DDoS, and knowing whether a given machine which participated in that attack was a botnet zombie or a legitimate u
Re: (Score:2)
DNS traffic from the client may still be used to identify infected hosts -- but it is certainly less simple than it used to be.
Re: (Score:2)
Well, spewing spam should be a strong clue.
Dynamic IPs shouldn't be allowed to send outbound email directly anyhow.
Re: (Score:2, Insightful)
Well if they're sending SMTP mail, then it should be easy to identify them without excessively curbing customers who have legitimate SMTP servers: place a simple limit on outgoing email.
Normal people with their own SMTP servers probably aren't going to send more than a few dozen emails per day.
An infected PC will send millions. No human can generate millions of emails on a keyboard, and there's little reason to think that activity might be legitimate and not spam.
Find people sending tons of email, contact
Comment removed (Score:4, Insightful)
Re: (Score:2)
It is possible to fingerprint encrypted traffic, even if you can't decrypt it.
But you asked about differences: destination, port, rate, traffic volume. To name a few.
Re:Take 'em offline (Score:4, Informative)
So what's the difference between this botnet data, an SSL connection to a bank, or an encrypted email/file?
The answer is you can't tell, and neither can the ISP.
Not strictly true, actually. IIRC it's already been shown that while SSL hides the content of the connection, it does a lousy job at hiding the protocol/likely payload; you can generally deduce this with remarkable accuracy by looking at the patterns the traffic follows.
For instance: Voice will have a more-or-less constant stream of small packets going in both directions, an interactive HTTP session will have bursts of data with packets of varying size in both directions, the total amount downloaded in each burst being up to a few hundred K at a time, a file being downloaded over HTTP will have a number of large packets in one direction and a constant stream of much smaller packets going in the other direction. It's a bit more sophisticated than this but AIUI that's the general gist.
It isn't 100% accurate, but for most practical purposes it's close enough.
Re: (Score:3)
So what's the difference between this botnet data, an SSL connection to a bank, or an encrypted email/file? The answer is you can't tell, and neither can the ISP.
Simple solution... don't allow encrypted traffic. If you're not doing anything wrong, you don't have anything to hide.
And no, I'm not being serious.
Re: (Score:3)
Making the MBR invisible to the OS isn't BS, once the rootkit has loaded it will intercept disk access and return filtered data.
Won't be able to do that with a (clean) boot-from-cd/usb OS or tool of course, but that's a different story.
Re: (Score:3, Insightful)
The only long term solution is to infect the infected with something that low level formats their HDD.
That will stop the problem.
It's amazingly illegal though, so it's not happening anytime soon.
Re:Take 'em offline (Score:4, Funny)
The only long term solution is to infect the infected with something that low level formats their HDD.
That's not true, there are plenty of long term solutions. We got -plenty- of nukes.
Re: (Score:3)
Re: (Score:2)
The only long term solution is to infect the infected with something that low level formats their HDD.
That will stop the problem.
It's amazingly illegal though, so it's not happening anytime soon.
It's also illegal to infect a PC with a worm and use it to run a spam botnet, but that hasn't stopped anyone. Maybe some vigilante will finally get tired of it and do something about it.
Re: (Score:2)
not really, idiots will reinstall and still be insecure,
There's no way around this, as long as everyone's running Windows. There is no permanent "fix" for this solution, only therapies. Wiping out infected HDs is an effective therapy. It'll eliminate the infection, and then the users will have to take their computer to the computer store to have Windows reinstalled (and maybe get a newer version that isn't as insecure as 98/Me/XP that many people are still running).
Yes, it's only a matter of time before
Re: (Score:3)
Yeah, it'll piss off every Grandma and Grandpa with an infected computer, but really.. the best way to deal with these massive botnets is to have the ISPs disable those accounts and contact the owners.
Asking ISPs to stand in the firing line of legal liability? Uh...yeah. You'll stand a better chance in hell with a snowcone machine.
And that answer isn't very easy when you're talking AT&T or Verizon cutting off entire hosted corporations.
Re: (Score:3)
geek, ATTBI (back in the 2001/2002 days) took infected computers off their network by disabling their cfg files. There's no legal liability there.
Re:Take 'em offline (Score:5, Interesting)
Just throw a clause in the Terms and Conditions that states the subscriber is required to maintain an outgoing connection free of malware. Otherwise, the ISP gets to redirect all traffic to a "Hey, you're infected!" page for the duration.
The first time the subscriber calls in to say it's rectified, remove the redirection and monitor it. The second time, be nice and request some proof. The third time, require a faxed copy of a receipt/invoice/statement from a third party verifying that all the connected in the residence are clean and all wireless networks are encrypted securely. Rinse, lather, repeat.
It seems the T&C is being used as a catch all for all the other shady business telecom's are pushing down our tubes... may as well as use it for a bit of good, too.
Re:Take 'em offline (Score:4, Insightful)
Just throw a clause in the Terms and Conditions that states the subscriber is required to maintain an outgoing connection free of malware. Otherwise, the ISP gets to redirect all traffic to a "Hey, you're infected!" page for the duration.
And as this particular one operates, good luck discerning a valid encrypted connection from a invalid/infected one.
The first time the subscriber calls in to say it's rectified, remove the redirection and monitor it. The second time, be nice and request some proof. The third time, require a faxed copy of a receipt/invoice/statement from a third party verifying that all the connected in the residence are clean and all wireless networks are encrypted securely. Rinse, lather, repeat.
Wow, faxed copy? What's next, a notarized statement and sworn testimony? After that, it'll be a race to see which falls faster; your customer base or your stock price.
Re: (Score:2)
I bet getting rid of that type of customer saves money in support, not all customers are profitable, and the calls about my google hours to a different site probably cost money.
Re: (Score:2, Insightful)
The third time, require a faxed copy of a receipt/invoice/statement from a third party
Yeah, because I still live in 1998 and work at a law firm, and thus have access to a fax machine
Re: (Score:2)
Yeah, because I still live in 1998 and work at a law firm, and thus have access to a fax machine
You got an all-in-one printer and a phone line? Then you've got a fax machine.
Re:Take 'em offline (Score:5, Insightful)
What the heck is a "phone line"? Is that one of those things they used to have back in the 70s and 80s where your phone was connected to the wall? How quaint.
Re: (Score:3)
I do believe that infected computers need to be dropped off the net, but it is VERY difficult to fix the problem without the internet to begin with.
Re: (Score:2)
Asking ISPs to stand in the firing line of legal liability?
Not a problem.. The government can grant them immunity, like it did for the unwarranted wiretaps..
Re:Take 'em offline (Score:4, Insightful)
Re: (Score:2)
not sure if this is a slippery slope here.
we're talking ISPs, not governments.
if they spin things right, or if the problem is big enough, they could include a nominal surcharge for sending round one of their guys to scrape the malware off their clients machines. then they save a ton of bandwidth, stop the botnets, and actually end up with happy customers (with computers that work somewhat better).
i think there's money to be made for the first ISP that tries this.
Re: (Score:3)
What an awful comparison. The people with infected computers are responsible for their computers, and it is their computers that are doing damage via spam etc. Disabling their accounts and requesting followup is in no way similar to:
*throwing someone in prison
*interrogating them
*implementing a police state
*freezing bank accounts
Its perfectly reasonable, if a PC is causing damage to a network, to remove that PC from the network. Schools do it, business offices do it, and Im sure government offices do it.
Invisible? (Score:5, Insightful)
Putting the thing in the MBR just means you can't intercept it during boot.
It doesn't for a second mean it's invisible.
Re:Invisible? (Score:4, Insightful)
It can become pretty well invisible to the infected host system though.
A bootable CD or flash drive should take care of things, but that's a bit of a hassle, since a bootable disc needs to be up to date to detect the latest threats... or perhaps the way to go on this is to checksum the existing known good mbr and then validate it from time to time offline against the checksum.
Speaking of which... what are people recommending for actually dealing with this sort of stuff...?
Re: (Score:2)
Speaking of which... what are people recommending for actually dealing with this sort of stuff...?
Isn't it obvious? The next version of Kaspersky of course!
Re:Invisible? (Score:5, Informative)
http://download.bitdefender.com/rescue_cd/ [bitdefender.com]
http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk10/ [kaspersky-labs.com]
Both of these update from the internet after booting up.
Re:Invisible? (Score:5, Informative)
The safest way is nuke it from orbit - boot from your Windows install disk, do a "diskpart clean" to nuke the MBR, and reinstall.
The easiest way is to just trust that your favorite brand of virus scanner will eventually take care of it.
Expert mode is make an image of the machine using ImageX, mount it on another PC, clean the virus from the image, and reapply it to the infected computer (after nuking the MBR.)
For lesser threats, MalwareBytes will take care of most anything, although I usually run ComboFix and HijackThis first.
Protip: If you're running a modern version of Windows, you don't need a special boot CD. Vista/7 disks boot to a full WinPE environment which will give you a command prompt (press Shift+F10 or wade through the menu), let you repartition your disk (diskpart), write a new boot sector (bootsect), and mount network shares (net use x: \\computer\share). Any install disk can also install and activate any other version of Windows (you can borrow a friend's Home Premium disk to reinstall Ultimate or whatever).
If you're still rocking XP, the install disk is next to worthless, so go grab a Live CD if you have to do anything interesting.
Re:Invisible? (Score:5, Interesting)
Unfortunately, most people who are running a modern version of Windows are doing so because it came on the computer they bought it on. I say unfortunately, because I have yet to see a computer ship with anything but those damned useless "restore" DVD's. It can't fix your system, or perform routine maintenance tasks, or anything useful. And if you've make any alterations to your hardware setup, you can forget it.
Shipping without an install disk for a paid for pre-installed OS that bundles lots of routine OS functionality on its install disk should be illegal. Or, rather, it should be legal to pass around copies of the install disk to everyone who has the OS.
Re:Invisible? (Score:4, Interesting)
Re: (Score:3)
Thank you. I read the whole article wondering, "how can these over-sensationalistic idiot writers spend half the article talking about TDL4 and interviewing Kaspersky employees, and yet not bother to mention the very excellent, and very free, TDSSKILLER tool from Kaspersky that kills TDL4 dead?" If I was one of the Kaspersky guys interviewed, I'd be pissed.
Re: (Score:2)
Re: (Score:2)
Depends on whose fdisk you are using.
Re:Invisible? (Score:4, Informative)
That will make the MBR clean on the next boot, but it will reinfect the MBR once Windows loads as well.
Modified MBR Detection? (Score:2, Interesting)
Man, can't they detect a modified MBR nowadays? I even had mainboards which detected a modified MBR upon boot. So where's the problem?
Re: (Score:2)
As long as there isn't a recovery partition (or even if there is, most of the time), boot from an OS install disk, go to repair mode, then type 'fixboot' and 'fixmbr'. you're now have a stock MBR.
Re: (Score:2)
If you load before the OS, then you can load as the host, and run the 'real' OS as a guest operating system. You can then intercept all calls to the hardware. (kind of like how VMware can sit under windows, and tell it that it has an LSI SCSI drive, when it doesn't.) Instead of reporting the real MBR, you can tell the guest operating system that the MBR is exactly what it expects.
Re: (Score:3)
This is one reason why a TPM chip is a useful tool. It is present, but disabled in most servers.
Enable BitLocker, make sure to save the recovery key somewhere safe (preferably printing it out as well), have it use the MBR, and call it done.
If malware nails the MBR after BitLocker gets turned on, the machine will not boot. One can use Windows PE, mount the system volume with the recovery key, and squash the malicious software that way.
Re: (Score:3)
If you load before the OS, then you can load as the host, and run the 'real' OS as a guest operating system. You can then intercept all calls to the hardware. (kind of like how VMware can sit under windows, and tell it that it has an LSI SCSI drive, when it doesn't.) Instead of reporting the real MBR, you can tell the guest operating system that the MBR is exactly what it expects.
What if you boot off the CD-ROM created by your favourite virus scanner which bypasses Windows and the hard disk and the MBR entirely?
Kids these days do know that nothing on the hard disk has ever been trustworthy once you have the slightest suspicious of any kind of malware, and that you always boot right off trusted read-only media as soon as you even think of running an remedial anti-malware tool, right? and that this is not some new 2011 thing but was always the case, because MBR infectors were the firs
Indestructible? (Score:5, Funny)
Sounds like a challenge...
Re: (Score:2)
Your posts read like mental disorder, but I think it'd be fascinating to hear if you actually speak aloud in stilted, gratuitous
. I imagine you sound something like a cross between William Shatner and the pork chop sandwiches [youtube.com] kid.
Anyone else morbidly curious?
Z34107
PS => I'll pay for your bus ticket to come speak on the proper use of the hosts file.
...z34107
Re: (Score:2)
* Nice part about the "heart of it" in the HOSTS file + Norton DNS is that even IF I were to 'suck in' this beastie? As soon as they get its C&C servers, I get them... every 1/4 hour, & it won't be able to "talk back to HQ"...
Until you realize that malware can change the DNS settings of the interface directly, so while you think you're using Norton DNS, you're actually using InfectedSpywarePOS DNS.
Windows security is a game (Score:3)
You write like Steve Gibson on meth. Hey, you are an AC...
Sounds like you have a lot of fun maintaining your defenses. I remember keeping up with that sort of thing back in the day. Then in 2003 I switched to Debian and haven't had to worry about malware since.
I'm amazed by the time and effort people spend to defend against malware when the best solution is so obvious. 'You can lead a horse to water..."
Maybe the problem is that some people enjoy "the game" so much that they wouldn't know what to do if t
It runs on windows? (Score:2)
What I want to know is ... (Score:3, Funny)
Does it run Linux?
Here's an idea (Score:3)
What if someone wrote malware that would run a VM from the boot sector, and then ran your existing OS from the VM? That way it wouldn't matter what OS you used, it could still access your system in the background.
Re: (Score:2)
What if someone wrote malware that would run a VM from the boot sector, and then ran your existing OS from the VM? That way it wouldn't matter what OS you used, it could still access your system in the background.
It is still only feasible if the intruders can gain root access to the machine to install the botnet client and vm. I use OpenBSD and I can look at my logs and laugh at the number of failed intrusion attempts. A more secure OS certainly will prevent this.
Re: (Score:3)
Ahh, but can you detect the successful intrusions?
Most windows users can also look at their logs (assuming they keep such things) and view a large number of failed attempts. Of course, there are also a handful of successful ones.
Yes, I know OpenBSD is very secure, particular for root access; user accounts not so much if the user will run anything they download. More than half of OpenBSDs security is that security conscious people select that operating system.
Re:Here's an idea (Score:4, Insightful)
> What if someone wrote malware that would run a VM from the boot sector, and
> then ran your existing OS from the VM?
You would notice when your 3D performance began to suck ass. And when either all of your devices became virtual ones or all other performance (net, disk, etc) also began to suck ass. Unless you assume a genius who can create a VM environment that works perfectly transparently, has almost zero overhead and otherwise breaks major new ground in the science; and that they waste their time on a virus instead of kicking VMWare, RedHat, QEMU, etcs ass and seizing a multi-billion dollar red hot market segment.
Re: (Score:3)
You would notice when your 3D performance began to suck ass.
Wrong. A virus only needs to virtualise the CPU and memory, it can leave hardware directly accessible.
A VM runs code natively on the CPU and remaps or intercepts access to memory. How far you take that is up to you. Some viruses install a driver that gets loaded early in the Windows boot sequence and uses the MMU to intercept access to memory locations that would allow it to be detected and removed by anti-virus software.
This botnet virus does the same thing but sets up the MMU in the boot block rather than
would have to modify the grub binary and/or kernel (Score:2)
or something like that, because linux machines are constantly running grub to rewrite the bootsector
you could rewrite part of the kernel binary so that it would lie to grub i guess.
or you could rewrite the grub binary to lie to the user.
those two things are kind of non-trivial because linux is increidbly diverse.
now that i think of it, perhaps Windows becoming 'diverse' is a way to prevent some of this junk from happening.
Re: (Score:2)
The article states that Windows PCs are vulnerable to this botnet. I think it is a safe guess that BSD and Linux machines are, as per the usual, safe.
With a couple of exceptions on a dual boot system...
1. If your Linux bootloader is on the MBR then having your MBR overwritten might break something
2. The code that runs in the MBR that starts the bot running before Windows starts might be incompatible with Linux and/or whatever bootloader you are using.
You're right in that Linux won't be infected but it could still get broken.
GPL Violators! Get em! (Score:5, Funny)
Somehow I think that's the least of their concerns.
Re:GPL Violators! Get em! (Score:5, Funny)
Think of how they get Al Capone. Noting would make federal prosecutors more interested in the GPL than if they thought it was the best way to nail a bad guy.
BTW, I like the idea of malware coming with a GPL license agreement and link to the source code.
Re: (Score:2)
It seems MS could make this go away (Score:2)
Microsoft knows their OS better than anyone. For anyone getting MS updates, it seems it would be a simple matter for Microsoft to identify these machines, disable the rootkit, and alert the user.
It would be a little bit of work for MS, but isn't this kind of service that you'd expect to get from a vendor that stands behind its products?
Re: (Score:2)
But how ? (Score:2)
For anyone getting MS updates, it seems it would be a simple matter for Microsoft to identify these machines
But how ? The virus hides its first stage in the MBR and is launched *before* the OS. By the time windows has started the computer is *already* compromised, the virus is already running and can do all the trick it wants to hide it self from the running system, or to alter the software being run.
Re: (Score:2)
Re: (Score:2)
Microsoft knows their OS better than anyone. For anyone getting MS updates, it seems it would be a simple matter for Microsoft to identify these machines, disable the rootkit, and alert the user.
It would be a little bit of work for MS, but isn't this kind of service that you'd expect to get from a vendor that stands behind its products?
The problem is that by definition, the malware authors always get to go first. As soon as Microsoft (or other antivirus vendor) figure out how to prevent the current malware from working, the malware guys will have reverse-engineered the update, developed a workaround, and deployed it before the windows/antivirus update has reached widespread deployment. They also have other advantages over Microsoft as they don't care as much if they crash a few computers along the way. Microsoft need to do heaps of regres
Nothing new (Score:2, Interesting)
In 2004 my cousin had malware that hid in the partition table and even a fresh format and windows reinstall could get rid of it. Only a good dos fdisk that deleted the table with a format and reinstallation. Today evil malware can hide in both the shadow volumes of restore points to reinstall themselves and avoid detection and also system recovery partitions so a fresh os reinstallation will reinstall the malware. Fun times
Wow (Score:2)
Only a matter of time ... (Score:2)
Command and Control (Score:4, Insightful)
Re:Command and Control (Score:5, Interesting)
Re: (Score:2)
Not impossible (Score:4, Interesting)
I work at a computer repair shop.
We frequently encounter computers that are kitted up with boot and rootkits, TDL-4 included. Kaspersky's TDSS killer does a pretty good job of removing this stuff, and it's pretty easy to tell if the MBR as been modified. Just fire up a copy of GMER and you'll be able to tell pretty quickly. I see a lot of people posting stuff about having to wipe drives and start over from scratch. That is simply not necessary. The only reason TDL-4 is such a pain in the ass is because it is decentralized, only communicates with a handful of its infected counterparts at a time and modifies the MBR. Even then, it's not impossible to detect or even remove. Just gotta use the right tools...
Re:Not impossible (Score:5, Insightful)
I work at a computer repair shop.
We frequently encounter computers that are kitted up with boot and rootkits, TDL-4 included. Kaspersky's TDSS killer does a pretty good job of removing this stuff, and it's pretty easy to tell if the MBR as been modified. Just fire up a copy of GMER and you'll be able to tell pretty quickly. I see a lot of people posting stuff about having to wipe drives and start over from scratch. That is simply not necessary. The only reason TDL-4 is such a pain in the ass is because it is decentralized, only communicates with a handful of its infected counterparts at a time and modifies the MBR. Even then, it's not impossible to detect or even remove. Just gotta use the right tools...
Sure you got rid of the TDL-4, but what about all the other crap it downloaded? Seriously, if the computer got owned, you can't trust it anymore. You'd never be able to find all the little things like permissions changes and registry tweaks even if you got rid of the trojan's executables. Copy your data files off, scan them really well before introducing them elsewhere, and then reformat the disk. Nuking it from orbit is the only way to be sure.
Re:Not impossible (Score:4, Insightful)
I do the same kind of work that AC does, and he's right. Its not impossible. Also, I'd like to introduce you to the Real World(TM) where wiping a machine at the drop of the hat isn't always an option.
Re: (Score:3)
They meant the *botnet* is indestructible. You just killed one of four million nodes.
I knew this was going to happen (Score:5, Interesting)
Curious Yellow [blanu.net] was bound to happen sooner or later. I was wondering what was taking botnet authors so long, and why they were relying on a centralized system like DNS for coordinating their bots.
P2P is also its weakness (Score:5, Interesting)
The fact that the software maintains itself peer-to-peer is also its greatest weakness, because it allows any infected node to identify other infected nodes. So, you set up a number of honeypots and use those to identify infected machines. You then strongarm those machines' ISPs to disconnect their customers until they get their shit together.
Yes, the whole "strongarming the ISPs" thing is a flaw in the strategy since it hasn't really been successful to date, but I'm sure Microsoft can come up with a legal solution to that little hitch.
Re: (Score:2)
Unless you're smart and you limit your P2P to the kinds of "cell" organisations used in shady groups.
That way the only nodes you can get are the few you immediately know about.
Add some logic to ensure that all your nodes are cross-jurisdiction and throw in some random time delays and random connections to nodes that aren't infected (ie, law enforcement honeypots) and .. well, you've just increased the paperwork level 100 fold.
I'm glad I'm not a blackhat.
This is easy to take down (Score:2)
Detection and removal (Score:5, Informative)
When they say indestructible, they mean it's more difficult to steal control of the botnet, like they have done with several other hostile networked threats, not that it can't be detected and removed.
To detect it, run the latest version of GMER.
http://www.gmer.net/
To remove it, you need to run a series of three scanners in this order:
TDSSkiller
http://support.kaspersky.com/viruses/solutions?qid=208280684
Combofix
http://www.bleepingcomputer.com/download/anti-virus/combofix
and Malwarebytes' Antimalware
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;1
Note that TDL4 is often a blended threat, and has other secondary infections that can cause issues. One of the most common does search redirection that can make it hard to get to the tools to remove it. Most versions of that you can work around by clicking on the Google cache of the site with the tool instead of the link itself.
As for who to blame, most of the infections installed on people's machines were abusing exploits in Adobe Flash. Keeping up to date helps, but I started installing Flashblock on my client's systems because I was convinced there were unknown Flash exploits.
-Z
Re: (Score:2)
Could you please link to OSX versions of these tools?
Can't be too careful, I say.
Try TDSS killer! (Score:4, Interesting)
I had a bit of trouble removing it with TDSS kiler a few weeks ago, but got there in about half an hour.
If it wont run you will need the file association reset tool.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip [kaspersky.com]
How does this bot spread? (Score:2)
Infected emails?
Hacked website or ad provider serving out drive-by-downloads?
Compromised IM accounts?
All of the above?
Personally I think someone needs to write an "Internet Security for Dummies" book that uses real world analogies to explain internet security concepts to clueless people. For example, it could compare leaving your front door unlocked to not having a firewall. Or it could show real-world things that most people would never do (give their credit card or bank details to a total stranger because
Re: (Score:2)
I'm guessing there are still 4 million XP machines with default Administrator accounts and no password. Microsoft has done a much better job with default user security starting with Vista and improving in Windows 7. Even if you're silly enough to run as admin, as long as you don't turn off UAC, you're a million times better off than running Windows XP as admin.
Re: (Score:3)
I don't know how the post-XP world of malware attraction works. At least in the XP-and-before world, the major goal wasn't your data. The windows kernel put a user modifiable, and kernel-used data structure in place. In this situation, anything that could manipulate the user space could manipulate the kernel space, thus spread itself in addition to stealing all of your data.
This is what is so disingenuous about then 'we are the target because so many people run us' crap. W/(95,98,2000,NT,XP) were th
Re: (Score:2)
the fact that it's described as a trojan implies to me it's a stupid user issue.
I had a trojan issue once. Now I have a kid. Trojans are stupid.
Re:Lawsuit (Score:4, Informative)
Time for a car analogy.
If someone hot-wires my car, and then rams it into a police station, then I'm not liable. The car manufacturer is not liable. The police are not liable. As a matter of fact, its not even my fault if I left the doors unlocked and the engine running. The person responsible is the bastard that stole it and did the damage.
These viruses and botnets are not spontaneous. They are not random acts of nature. They happen because of bad guys doing bad things. We should all take reasonable precautions, but we shouldn't be held liable for their actions.
Re: (Score:2)
Or we could, you know, just use more secure operating systems.
Re: (Score:2)
Re: (Score:2)
Or we could, you know, just use more secure operating systems.
A technological solution to a technological problem? Surely you jest!
Re: (Score:2)
Collect botnet creators. Apply one bullet to head. In public.
If you could "collect" the botnet creators, then you could solve the problem in any number of less messy ways, though. Even in a jurisdiction that placed serious limitations on violent public executions, if you arrested the creators you've made pretty major progress toward dismantling it.
Remember: there's nothing magical about ad hoc public capital punishment. (Did I just say there's no silver bullet?) Organized crime exists in countries of all judicial philosophies.
So, by all means, capture the miscreants.
Re: (Score:2)
That didn't work for General Tarkin and it won't work for this.
Re:general purpose computing is dead (Score:4, Interesting)
If magically tomorrow every single Windows box was Linux instead, socially-engineered malware would appear the next day.
One thing that protects Linux, and that has little to do with the OS itself, is the FOSS ecosystem. Pretty much everything you could want is available for free from trusted repositories, and so there is little or no incentive to download and install warez or other pirated software that may have been tampered with. You would still be right, though, if being the dominant "OS for the masses" implies that a similar proprietary closed-source ecosystem would quickly arise around it.