Most Sophisticated Rootkit Getting an Overhaul 104
jfruhlinger writes "TDL4, a rootkit that helps build a powerful botnet, is pegged by security vendor ESET as one of the most sophisticated pieces of malware in the world. But its creators aren't resting on their laurels; they're rewriting some of the code from the ground up to make it difficult for antimalware to detect it, creating a hidden boot partition that guarantees malware code will be loaded even before the operating system is. It's part of a plan to turn TDL4 into a turnkey product that can be sold to other criminal operations."
Computers must have an emergency-recovery (Score:4, Interesting)
Computers must have a way to boot to a guarenteed-audited environment for virus scanning.
Yes, I know that Windows 8 on computers that have "protected" BIOSes meet this requirement but I'm thinking something more general.
If you turn on a hardware switch labeled "I think I have a virus" and power on your computer, the boot sequence should be:
Protected BIOS preloader:
- audits (checks signature of) the BIOS, if signed AND has the "secure" bit set, lets it load, if not signed, loads read-only factory BIOS.
BIOS (or factory BIOS)
- audits (checks signature of) bootloader/OS loader from first available boot device. If signed and the "secure" bit is set, lets it load. If not goes on to next device in boot sequence.
and so on.
In many cases the user will be presented with "no secure boot device found, insert secure boot device and restart computer" error from the BIOS.
Inserting a signed vendor operating system install CD or live CD or rescue CD should do the trick.
Once the system is booted, security software can be downloaded, audited, and run.
Once the system is clean the user turns off the "I think I have a virus" switch and boots normally.
--
Yes, I know this won't cure a virus or rootkit that isn't DETECTED by current security software bit it will keep anything from getting a permanent (as in "throw your computer or drive away") foothold in a system AND it will make it relatively easy for the layman to get rid of such infections.
Re:Next up, antimalware built into boot sectors. (Score:4, Interesting)
For real protection, it can't be based in software. It must be a physical switch, like that on floppy disks or SD cards.
Re:Next up, antimalware built into boot sectors. (Score:3, Interesting)
I'm all for a physical switch.
Most of my customers would not be, however.
Then again, I see writing to the partition table / boot sector as on the same level as flashing firmware; it should only be done when absolutely needed and by someone who knows what they're doing and quite qualified. Which would put me rooting for a physical switch even more (I'd have less customers, though).
But the question still begs: Why are we allowed to write to this stuff from userland? Even with admin / root privs?
Re:secure boot ftw! (Score:3, Interesting)
Good thing I'm gonna get a win8 machine with secure boot. Fuck these assholes.
That's what I was thinking. Then I thought, "Gee, this wasn't a big issue before but now that Windows 8 is going to have a feature to kill it, only then does major malware do this?" I hate to sound like a conspiracy nut, but this suggests that some arm of Microsoft might be involved in this. Knowing how Microsoft departments work (see "mexican standoff") it's not too far fetched to think that IF this were going on, 90% of the company wouldn't know.
On a more salient technical question...exactly how does malware plan on installing a hidden boot partition? Did malware writers figure out how to shrink a live, mounted partition of the hard drive to make space for another one? Or are they just going to take over the "recovery" partition most vendors ship on their computers? Given that the first option is extremely unlikely, this seems like a good reason to suggest that vendors supply an OS install DVD (or read-only USB stick, or embedded read-only flash storage) instead of a recovery partition. Not that it's ever going to happen. Hardware vendors like being able to save on manufacturing (or even licensing) costs for the extra discs, at the expense of space for user data (which doesn't need to be disclosed in advertising). Microsoft is too focused on their secure boot crusade anyway.
Combining the seeming nuttery with the technical question...what would Microsoft's goal be to create or help the development of this malware? To push secure boot? Why secure boot? To kill Linux? To kill Windows piracy? To help their partners ship unremovable crapware? To turn Windows into an iOS-style walled garden?
RE: (Score:4, Interesting)
If there is no free entry in the partition table then the malware reports to the C&C server and terminates.
So if you make sure you have 4 primary partitions created, you are essentially immune?