Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Botnet Security IT

Most Sophisticated Rootkit Getting an Overhaul 104

jfruhlinger writes "TDL4, a rootkit that helps build a powerful botnet, is pegged by security vendor ESET as one of the most sophisticated pieces of malware in the world. But its creators aren't resting on their laurels; they're rewriting some of the code from the ground up to make it difficult for antimalware to detect it, creating a hidden boot partition that guarantees malware code will be loaded even before the operating system is. It's part of a plan to turn TDL4 into a turnkey product that can be sold to other criminal operations."
This discussion has been archived. No new comments can be posted.

Most Sophisticated Rootkit Getting an Overhaul

Comments Filter:
  • ... please return their call ASAP. They did not leave a message.
    • by sycodon ( 149926 )

      I keep imagining mobs of computer users running down these "creators", much like Qaddafi was, and putting bullets in their heads.

      • by Luckyo ( 1726890 )

        I keep imagining these botnet creators hacking reaper drones to put high exlosive missiles into huge mobs of computer users.

        Yeah, I was playing orcs must die a moment ago. Connect the dots.

    • Sony are going to sue them for... copyright infringement? source code theft? business 'opportunity' theft? corporate impersonation? theft of corporate strategy?

  • Naturally, we'll just make a boot sector with virus protection code that loads before anything else.

    Yo Dog, I heard you like bootsectors. So I put a bootsector in your bootsector, so you can boot, while you reboot!

    • by Hentes ( 2461350 )

      Giving the antivirus even more rights is a losing battle, especially with the number of fake antiviruses. What an AV can do, a virus will be developed to do as well. The way to defend against it is to boot the AV from CD, there are some that offer that.

      • by bioteq ( 809524 )

        Or, you know, disable the ability to write to the boot sector / partition table without specialized permission.

        One time toggle in the bios means you can write to partition table on next boot. Want to write to it again? Toggle it in bios again.

        Also, why can we write to the partition table and bootsector from userland again?

        • by DeadCatX2 ( 950953 ) on Friday October 21, 2011 @03:52PM (#37798548) Journal

          For real protection, it can't be based in software. It must be a physical switch, like that on floppy disks or SD cards.

          • Re: (Score:3, Interesting)

            by bioteq ( 809524 )

            I'm all for a physical switch.

            Most of my customers would not be, however.

            Then again, I see writing to the partition table / boot sector as on the same level as flashing firmware; it should only be done when absolutely needed and by someone who knows what they're doing and quite qualified. Which would put me rooting for a physical switch even more (I'd have less customers, though).

            But the question still begs: Why are we allowed to write to this stuff from userland? Even with admin / root privs?

            • We still have to open the case to clear CMOS. But you're right, this kinda thing would irritate customers (although it may even create more business for you, since they would need technical assistance when rewriting boot sectors).

              And you're also right, you shouldn't be able to write to this stuff from userland. However, malware is pretty good at gaining control of kernelland as well. A userland ban just adds another layer to their payload.

              Requiring physical access is likely to be the only real solution t

              • by jhigh ( 657789 )

                Requiring physical access is likely to be the only real solution that cannot be compromised remotely.

                And even then you would have some user that some hacker social engineered into giving them physical access.

            • by capnkr ( 1153623 )
              About 50% of my business is dealing with the far-end of end users; the ones who have never even heard the term "boot sector", and who if you happen to use that word, begin getting glazed over eyes and looking up at passing birds, or with a smirk on their face, ask if that is where the Klingons come from... They've never seen the "inside of their CPU", yet are exactly the people who would be protected most by such a switch. I think it is an excellent idea, and would bet that it is likely both cheap and easy
          • For real protection, it can't be based in software. It must be a physical switch, like that on floppy disks or SD cards.

            There are still more than enough users that can be social engineered into flipping that switch.

            • But not me, which is the point.

              Just make sure you're not the low-hanging fruit

            • So ... it isn't 100% effective so lets not do it?

              Compared to "click here to protect from Virus" this is much slightly harder to socially engineer someone into turning off their computer [this may or may not be a requirement], cracking the case, and then to flip a switch. And it also slows the infection process way down. No more spreading by the speed of email or web surfing.

              For us geeks, we'll just rig up the switch to operate from outside the case to save us the hassle of pulling a cover :)

          • by fuzzyfuzzyfungus ( 1223518 ) on Friday October 21, 2011 @04:16PM (#37798794) Journal
            This is picking a nit with the examples, rather than the concept; but both floppies and SD cards have a physical switch in only the loosest sense of the term:

            Floppies have no internal logic capable of acting on the switch state, it is entirely up to the floppy drive to sense and obey. SD cards do have an internal controller, and could theoretically enforce write-blocking on themselves; but they don't. Their switch is also just a little plastic tab, and it is entirely up to the reader to sense and obey the tab position. The card's PCB has no connection at all to the switch, and has no way of sensing its position...
            • I bought an SD card and a card reader to keep Anti-malware tools on. The idea was to use the write protect switch to keep malware from infecting/modifying the contents of the card when inserted into an infected PC.

              The first card reader just ignored the switch! I had to buy a second one of a different model/company to be protected.

          • Of course it can be based on software, if the OS requires the entire boot sector to be filled to the very last bit with necessary boot logic.

            Overwriting even one bit will make the entire OS unbooteable, and with it the rootkit unrunneable.

            • Couldn't the rootkit just take control of the actual boot sector, and then present something else to the OS? And isn't the point of modding the boot sector to make the rootkit boot before the OS, thereby making (the first stage of) the rootkit independent of OS?

              • Couldn't the rootkit just take control of the actual boot sector, and then present something else to the OS?

                It can't represent the exact same values to the OS, without being larger than the bootsector. Otherwise it can be considdered a bug in the OS.

                And isn't the point of modding the boot sector to make the rootkit boot before the OS, thereby making (the first stage of) the rootkit independent of OS?

                There is a lot to be learned from OS design in regards to the BIOS. The BIOS also runs next to the OS and it has to reserve some memory. The OS can be made so that, even if the rootkit lies about the free memory footprint for the OS, the OS can do a lot of tricks to outsmart the rootkit and decide to completely crash. This would render the rootkit unusable.

                Imagine a B

                • by sFurbo ( 1361249 )

                  There is a lot to be learned from OS design in regards to the BIOS. The BIOS also runs next to the OS and it has to reserve some memory. The OS can be made so that, even if the rootkit lies about the free memory footprint for the OS, the OS can do a lot of tricks to outsmart the rootkit and decide to completely crash.

                  How would the OS outsmart the rootkit? Wouldn't the rootkit always have the upper hand, being booted first? And wouldn't it be a problem for the OS that it is more static than the rootkits?

                  • Simple. At install time, the bootsector isn't even touched by the BIOS, so the rootkit does't load. The OS can then know exactly what space it has and hasn't. Based on that, a small piece of the kernel binary could be compiled to make use of these outer edges, to store some pages and some critical logic and values.

                    When the rootkit launches it must sit next to the BIOS and then launch the OS loader. The OS loader loads the kernel.

                    The kernel is now going to load random pages with unused logic in the first few

          • by Nikker ( 749551 )
            If we moved the MBR to the a section of BIOS and setup a physical switch to allow modifications then that would give us a leg up on most of this garbage.
          • yes it can... permissions-based filesystem, locked-down iptables, and some plain old common sense (the software in your head). yes linux machines can be hacked, but its rarely the fault of the software, with most hacks being due to poor configuration. otherwise linux wouldn't be the trusted name in server operating systems that it is.

            windows' biggest downfall... lack of a permissions-based filesystem. as soon as this changes, windows will be much more securable (still subject to admin/user sense and comp
        • by Hentes ( 2461350 )

          Also, why can we write to the partition table and bootsector from userland again?

          Most BIOSes don't offer a partitioning software so you have to use third party ones.

          But giving a one-time permission is a good idea.

        • by jimicus ( 737525 )

          We had MBR protection years ago and I believe it's still in most BIOSes. But IIRC it only works if you try writing to the MBR using BIOS routines - which no modern operating system does.

        • Aren't Microsoft/others working on a solution to prevent modification of the boot sector - essentially, the OS won't boot unless it's properly signed (trusted platform module)? Or is that something different?

      • The way to defend against it is to boot the AV from CD, there are some that offer that.

        That's a good start. But there needs to be more. Such as having multiple hashes of the KNOWN files for the OS and apps.

        That way, not only can you check for KNOWN viruses ... but you can verify that the files you have do not have UNKNOWN viruses.

        The only problem (aside from the daily update thing) would be user-created files. So an easy way to move those files from the machine to something like a flash drive would be handy

        • by Hentes ( 2461350 )

          An OS is not a static thing. It gets updated, users configure it etc. Unless you want a foolproof system for office use with locked in users.

          • An OS is not a static thing. It gets updated, users configure it etc.

            Hence the line about "daily updates" in my post.

            You boot the CD and it checks the anti-virus vendor's site for the latest information on what files are where with which hashes. That includes the OS and the applications.

            With that, the only place the crackers can hide the viruses are in the user's files. And those files SHOULD be easily movable to a flash drive or such.

            • With that, the only place the crackers can hide the viruses are in the user's files.

              That is not correct. As I noted in the post above, Windows already HAS a file protection mechanism built in (has since Windows 2000), but it can be subverted like any other mechanism can. There IS no foolproof in computing.

        • That's a good start. But there needs to be more. Such as having multiple hashes of the KNOWN files for the OS and apps.

          Windows has had that for ages, its called Windows File Protection [wikipedia.org]. The problem is that very rarely are the system files themselves attacked-- that is too likely to trigger issues. Almost always, a third party DLL or driver is loaded at startup.

          When system files ARE infected, the automatic file recovery mechanism is usually subverted, and the DLLcache copy of the file is also infected.

          There is no silver bullet for this. Unless you want a walled garden, there will always be the possibility for system infec

        • the first thing any malware would target is the program that keeps track of the hashes (first offense is self-defense)

          same as why disabling of common antivirus software is usually the prime target of the more sophisticated viruses

          no matter how many layers of protection you add, the malware would always be designed to disable the top level

          infection also doesn't need to be file-based. in this day and age many computers are left running for days or weeks at a time, so malware can do a hell of a lot of
  • Very creative (Score:2, Insightful)

    by msobkow ( 48369 )

    As annoying and irritating and downright destructive as malware can be, the techniques used to implement it can be absolutely fascinating. Hackers are the programmers who dive into the system and understand it's weaknesses, finding holes and exploits.

    It's the crackers who field that technology destructively that are the problem.

    Technology in and of itself is not evil or wrong. It's the abuse of technology that we all need to be concerned about.

    • Technology in and of itself is not evil or wrong. It's the abuse of technology that we all need to be concerned about.

      Back in the 90's the groupthink here was very tin-foily about trusted computing hardware. Now, a verified boot doesn't seem like a bad idea.

      • I can't speak for the collective consciousness of Slashdot; but the various 'trusted computing' stuff seems to have exactly the same set of trade-offs now that it did in the 90's: It does make malicious modification(by untrusted 3rd parties, malice by trusted parties actually becomes easier) more difficult; but there isn't an enormous amount of room for optimism about the percentage of devices that will accept the user as the root of trust, rather than whoever the vendor burned in. The number won't be zero,
        • Most of the TSC hardware is field-programmable, at least from what I've read. Factory-burned would be fine. Being able to say, "lock this boot configuration, I think the computer is secure", say before crossing a border checkpoint, would be really helpful.

    • Some technologies are created for evil purposes by evil people. They have no beneficial use.
      Sorry, but technology is just a tool and some tools are good for only one thing: Bad.

      • I don't know if I'd call Mark Zuckerberg *evil* per se...

  • "TDL4, a rootkit that helps build a powerful botnet, is pegged by security vendor ESET as one of the most sophisticated pieces of malware in the world.

    That we know about.

    Stuxnet looked pretty mundane, on the surface. Anyone else wonder how many more such super-sophisticated malware are out there that we have no clue exists?

  • by davidwr ( 791652 ) on Friday October 21, 2011 @03:52PM (#37798544) Homepage Journal

    Computers must have a way to boot to a guarenteed-audited environment for virus scanning.

    Yes, I know that Windows 8 on computers that have "protected" BIOSes meet this requirement but I'm thinking something more general.

    If you turn on a hardware switch labeled "I think I have a virus" and power on your computer, the boot sequence should be:

    Protected BIOS preloader:
    - audits (checks signature of) the BIOS, if signed AND has the "secure" bit set, lets it load, if not signed, loads read-only factory BIOS.

    BIOS (or factory BIOS)
    - audits (checks signature of) bootloader/OS loader from first available boot device. If signed and the "secure" bit is set, lets it load. If not goes on to next device in boot sequence.

    and so on.

    In many cases the user will be presented with "no secure boot device found, insert secure boot device and restart computer" error from the BIOS.

    Inserting a signed vendor operating system install CD or live CD or rescue CD should do the trick.

    Once the system is booted, security software can be downloaded, audited, and run.

    Once the system is clean the user turns off the "I think I have a virus" switch and boots normally.

    --
    Yes, I know this won't cure a virus or rootkit that isn't DETECTED by current security software bit it will keep anything from getting a permanent (as in "throw your computer or drive away") foothold in a system AND it will make it relatively easy for the layman to get rid of such infections.

    • by JBMcB ( 73720 )

      Isn't that partially what TPM does? I think my Thinkpad (heh) has an option to lock out the boot device if the boot sector or bios settings were altered without authenticating to the TPM.

    • by ttong ( 2459466 )
      For what CPU architecture will the install/live/rescue OS be compiled? How is it going to download the security software? Will it automatically set up 802.1x/PPPoE with your own chap-secrets/a USB UMTS modem or whatever Internet connection the customer might have?

      I'd rather see a hardware failsafe with a manual override switch which resets the CPU whenever the SATA controller detects a write to a block below, say, 8. It should be done without using an interrupt. This way, an infection is prevented rather th

      • by davidwr ( 791652 )

        For what CPU architecture will the install/live/rescue OS be compiled?

        That's like asking "for what CPU architecture will the OS be compiled"? - for the target machine.

        If I'm a PC vendor and I'm selling Intel-compatible PCs with known motherboards, the rescue system will be one that can bootstrap to a stripped-down OS. If I'm a major vendor with close ties to Microsoft it will probably be a "live rescue DVD" provided to me by Microsoft. If I'm someone else it might be Linux or *nix-based.

        It will have appropriate network drivers built in so it will be able to go out to a know

        • by ttong ( 2459466 )

          So your solution applies to the Compaqs and Dells but not custom-built PCs, I think the big vendors will just say something along the lines of "we include a free version of $shitty_antivirus, so we don't need this". And then continue to charge extra for support plans, so the "stupid tax" works (clueless customers pay extra).

          A simple hardware solution without any software support would be far superior. Sometimes, the more low-tech the solution is the greater the chance that it'll actually work.

    • it already exists... its called a compact disc (or CD for short), and you can boot it by changing a BIOS setting. just chuck in a Linux live CD. works wonders for me (on windows machines)
      • by davidwr ( 791652 )

        This works fine as long as your BIOS hasn't been updated with an infected version.

        • There's some very useful info about Mebromi here:
          http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/ [webroot.com]

          It only affects Windows machines with Award BIOS's and seems to be pretty hard to get rid of. Maybe this level of infection will someday force Microsoft to consider implementing a permissions-based filesystem to reduce the possibility of this type of infection in the first place.

          Cheapest/easiest solution: buy a new mobo.
          You may also be able to flash a backup using a Linux
  • So we're getting back to the good old days where you needed to wipe the first couple of megs of the disk with a MS debug trick and re-partition to get rid of some of the viruses.

    • So we're getting back to the good old days where you needed to wipe the first couple of megs of the disk with a MS debug trick

      I think today's version is

      dd if=/dev/zero of=/dev/sda bs=1M count=2

  • I know that no one here is will to say a good thing about the proposed Windows 8 secure boot "feature", but isn't this rootkit scenario the one it's trying to prevent? Would the secure boot prevent a user from booting into Windows if rootkit like this was on the computer?
    • I can't say that I've followed the whole secure boot thing too closely, but if history tells us anything, you just KNOW that it will be designed/implemented wrong and will be hacked around before you know it. I would not count on it being your be-all-end-all protection mechanism.
    • by nzac ( 1822298 )

      (While I am sure that they are skilled enough to exploit latest privilege escalation bug in the linux kernel,) it still takes windows to give it access to the hardisk like that to begin with. This is ignoring that you have to get Linux to execute the code in first place.

      MS hurting Linux to fix their own security problem makes it still easy to blame them.

      Assuming the root kit keeps your home partition intact (you would not be turning your computer on to often if it did not) this should be easy enough to fix.

    • by Anonymous Coward

      Among other things, yes. It does deter rootkits in a similar sense that having an omnipresent police state tends to deter thieves and muggers. Yet one wouldn't want to live in a police state, even if that meant there would be no thieves or muggers.

  • A complete rewrite ? Don't these guys read Joel On Software ? They're going to ruin their ... oh, um carry on.

  • RE: (Score:4, Interesting)

    by D'Sphitz ( 699604 ) on Friday October 21, 2011 @04:56PM (#37799270) Journal

    If there is no free entry in the partition table then the malware reports to the C&C server and terminates.

    So if you make sure you have 4 primary partitions created, you are essentially immune?

    • by Anonymous Coward

      That is why we are moving to GPT. I guess that that would work until you get new computer.

  • Win32/Olmasco.R .. Affected platforms: Microsoft Windows .... enough said .....
  • Boot from a write-protected floppy which is always in the drive. The boot sector of the floppy loads a tiny piece of code that checks the checksum on the parition table and MBR and alerts you that it changed. Problem solved. Until they stop producing floppy drives, that is.

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...