Most Sophisticated Rootkit Getting an Overhaul 104
jfruhlinger writes "TDL4, a rootkit that helps build a powerful botnet, is pegged by security vendor ESET as one of the most sophisticated pieces of malware in the world. But its creators aren't resting on their laurels; they're rewriting some of the code from the ground up to make it difficult for antimalware to detect it, creating a hidden boot partition that guarantees malware code will be loaded even before the operating system is. It's part of a plan to turn TDL4 into a turnkey product that can be sold to other criminal operations."
Sony called... (Score:2, Funny)
Re: (Score:2)
I keep imagining mobs of computer users running down these "creators", much like Qaddafi was, and putting bullets in their heads.
Re: (Score:2)
I keep imagining these botnet creators hacking reaper drones to put high exlosive missiles into huge mobs of computer users.
Yeah, I was playing orcs must die a moment ago. Connect the dots.
Re: (Score:3)
Sony are going to sue them for... copyright infringement? source code theft? business 'opportunity' theft? corporate impersonation? theft of corporate strategy?
Next up, antimalware built into boot sectors. (Score:2)
Naturally, we'll just make a boot sector with virus protection code that loads before anything else.
Yo Dog, I heard you like bootsectors. So I put a bootsector in your bootsector, so you can boot, while you reboot!
Re: (Score:3)
Giving the antivirus even more rights is a losing battle, especially with the number of fake antiviruses. What an AV can do, a virus will be developed to do as well. The way to defend against it is to boot the AV from CD, there are some that offer that.
Re: (Score:2)
Or, you know, disable the ability to write to the boot sector / partition table without specialized permission.
One time toggle in the bios means you can write to partition table on next boot. Want to write to it again? Toggle it in bios again.
Also, why can we write to the partition table and bootsector from userland again?
Re:Next up, antimalware built into boot sectors. (Score:4, Interesting)
For real protection, it can't be based in software. It must be a physical switch, like that on floppy disks or SD cards.
Re: (Score:3, Interesting)
I'm all for a physical switch.
Most of my customers would not be, however.
Then again, I see writing to the partition table / boot sector as on the same level as flashing firmware; it should only be done when absolutely needed and by someone who knows what they're doing and quite qualified. Which would put me rooting for a physical switch even more (I'd have less customers, though).
But the question still begs: Why are we allowed to write to this stuff from userland? Even with admin / root privs?
Re: (Score:3)
We still have to open the case to clear CMOS. But you're right, this kinda thing would irritate customers (although it may even create more business for you, since they would need technical assistance when rewriting boot sectors).
And you're also right, you shouldn't be able to write to this stuff from userland. However, malware is pretty good at gaining control of kernelland as well. A userland ban just adds another layer to their payload.
Requiring physical access is likely to be the only real solution t
Re: (Score:2)
Requiring physical access is likely to be the only real solution that cannot be compromised remotely.
And even then you would have some user that some hacker social engineered into giving them physical access.
Re: (Score:2)
Re: (Score:2)
For real protection, it can't be based in software. It must be a physical switch, like that on floppy disks or SD cards.
There are still more than enough users that can be social engineered into flipping that switch.
Re: (Score:2)
But not me, which is the point.
Just make sure you're not the low-hanging fruit
Re: (Score:2)
So ... it isn't 100% effective so lets not do it?
Compared to "click here to protect from Virus" this is much slightly harder to socially engineer someone into turning off their computer [this may or may not be a requirement], cracking the case, and then to flip a switch. And it also slows the infection process way down. No more spreading by the speed of email or web surfing.
For us geeks, we'll just rig up the switch to operate from outside the case to save us the hassle of pulling a cover :)
Re:Next up, antimalware built into boot sectors. (Score:5, Informative)
Floppies have no internal logic capable of acting on the switch state, it is entirely up to the floppy drive to sense and obey. SD cards do have an internal controller, and could theoretically enforce write-blocking on themselves; but they don't. Their switch is also just a little plastic tab, and it is entirely up to the reader to sense and obey the tab position. The card's PCB has no connection at all to the switch, and has no way of sensing its position...
Re: (Score:1)
I bought an SD card and a card reader to keep Anti-malware tools on. The idea was to use the write protect switch to keep malware from infecting/modifying the contents of the card when inserted into an infected PC.
The first card reader just ignored the switch! I had to buy a second one of a different model/company to be protected.
Re: (Score:2)
Of course it can be based on software, if the OS requires the entire boot sector to be filled to the very last bit with necessary boot logic.
Overwriting even one bit will make the entire OS unbooteable, and with it the rootkit unrunneable.
Re: (Score:2)
Couldn't the rootkit just take control of the actual boot sector, and then present something else to the OS? And isn't the point of modding the boot sector to make the rootkit boot before the OS, thereby making (the first stage of) the rootkit independent of OS?
Re: (Score:2)
Couldn't the rootkit just take control of the actual boot sector, and then present something else to the OS?
It can't represent the exact same values to the OS, without being larger than the bootsector. Otherwise it can be considdered a bug in the OS.
And isn't the point of modding the boot sector to make the rootkit boot before the OS, thereby making (the first stage of) the rootkit independent of OS?
There is a lot to be learned from OS design in regards to the BIOS. The BIOS also runs next to the OS and it has to reserve some memory. The OS can be made so that, even if the rootkit lies about the free memory footprint for the OS, the OS can do a lot of tricks to outsmart the rootkit and decide to completely crash. This would render the rootkit unusable.
Imagine a B
Re: (Score:2)
I said logic, not values.
Re: (Score:2)
There is a lot to be learned from OS design in regards to the BIOS. The BIOS also runs next to the OS and it has to reserve some memory. The OS can be made so that, even if the rootkit lies about the free memory footprint for the OS, the OS can do a lot of tricks to outsmart the rootkit and decide to completely crash.
How would the OS outsmart the rootkit? Wouldn't the rootkit always have the upper hand, being booted first? And wouldn't it be a problem for the OS that it is more static than the rootkits?
Re: (Score:2)
Simple. At install time, the bootsector isn't even touched by the BIOS, so the rootkit does't load. The OS can then know exactly what space it has and hasn't. Based on that, a small piece of the kernel binary could be compiled to make use of these outer edges, to store some pages and some critical logic and values.
When the rootkit launches it must sit next to the BIOS and then launch the OS loader. The OS loader loads the kernel.
The kernel is now going to load random pages with unused logic in the first few
Re: (Score:2)
Re: (Score:1)
windows' biggest downfall... lack of a permissions-based filesystem. as soon as this changes, windows will be much more securable (still subject to admin/user sense and comp
Re: (Score:2)
Also, why can we write to the partition table and bootsector from userland again?
Most BIOSes don't offer a partitioning software so you have to use third party ones.
But giving a one-time permission is a good idea.
Re: (Score:2)
We had MBR protection years ago and I believe it's still in most BIOSes. But IIRC it only works if you try writing to the MBR using BIOS routines - which no modern operating system does.
Re: (Score:2)
Aren't Microsoft/others working on a solution to prevent modification of the boot sector - essentially, the OS won't boot unless it's properly signed (trusted platform module)? Or is that something different?
In addition to that ... (Score:3)
That's a good start. But there needs to be more. Such as having multiple hashes of the KNOWN files for the OS and apps.
That way, not only can you check for KNOWN viruses ... but you can verify that the files you have do not have UNKNOWN viruses.
The only problem (aside from the daily update thing) would be user-created files. So an easy way to move those files from the machine to something like a flash drive would be handy
Re: (Score:2)
An OS is not a static thing. It gets updated, users configure it etc. Unless you want a foolproof system for office use with locked in users.
Hence the "daily updates" part. (Score:2)
Hence the line about "daily updates" in my post.
You boot the CD and it checks the anti-virus vendor's site for the latest information on what files are where with which hashes. That includes the OS and the applications.
With that, the only place the crackers can hide the viruses are in the user's files. And those files SHOULD be easily movable to a flash drive or such.
Re: (Score:2)
With that, the only place the crackers can hide the viruses are in the user's files.
That is not correct. As I noted in the post above, Windows already HAS a file protection mechanism built in (has since Windows 2000), but it can be subverted like any other mechanism can. There IS no foolproof in computing.
Re: (Score:3)
That's a good start. But there needs to be more. Such as having multiple hashes of the KNOWN files for the OS and apps.
Windows has had that for ages, its called Windows File Protection [wikipedia.org]. The problem is that very rarely are the system files themselves attacked-- that is too likely to trigger issues. Almost always, a third party DLL or driver is loaded at startup.
When system files ARE infected, the automatic file recovery mechanism is usually subverted, and the DLLcache copy of the file is also infected.
There is no silver bullet for this. Unless you want a walled garden, there will always be the possibility for system infec
Re: (Score:1)
same as why disabling of common antivirus software is usually the prime target of the more sophisticated viruses
no matter how many layers of protection you add, the malware would always be designed to disable the top level
infection also doesn't need to be file-based. in this day and age many computers are left running for days or weeks at a time, so malware can do a hell of a lot of
Very creative (Score:2, Insightful)
As annoying and irritating and downright destructive as malware can be, the techniques used to implement it can be absolutely fascinating. Hackers are the programmers who dive into the system and understand it's weaknesses, finding holes and exploits.
It's the crackers who field that technology destructively that are the problem.
Technology in and of itself is not evil or wrong. It's the abuse of technology that we all need to be concerned about.
Re: (Score:2)
Technology in and of itself is not evil or wrong. It's the abuse of technology that we all need to be concerned about.
Back in the 90's the groupthink here was very tin-foily about trusted computing hardware. Now, a verified boot doesn't seem like a bad idea.
Re: (Score:3)
Re: (Score:2)
Most of the TSC hardware is field-programmable, at least from what I've read. Factory-burned would be fine. Being able to say, "lock this boot configuration, I think the computer is secure", say before crossing a border checkpoint, would be really helpful.
I dont agree with your blanket statement (Score:3)
Some technologies are created for evil purposes by evil people. They have no beneficial use.
Sorry, but technology is just a tool and some tools are good for only one thing: Bad.
Re: (Score:1)
technology is a double-edged sword. whatever can be used for good can also be used for evil, and vice versa. its only limitation is creativity and immagination, and the combined immagination of all of humanity is pretty vast, so if you think you've developed something that coul
Re: (Score:2)
... [Some technologies] have no beneficial use. ... [Some] tools are good for only one thing: Bad.
I'm unable to think of an example which satisfies these statements: even botnets could be co-opted for use in an enterprise environment, to help lock down corporate computers and data.
Did you have an example of a purely-evil tool you were thinking of?
Biochemical weapons. Weapons of mass destruction. Nerve gas, Agent Orange.
Re: (Score:2)
Nuclear bombs have given us the most peaceful 60 years in humanities history (the years leading up to WW1 rivals that, but I don't think 60 years of them do), and is currently our best bet for accelerating a spaceship to any useful fraction of the speed of light.
Nerve gasses can be used as insecticides, and have given us a
Re: (Score:1)
everything must be put in perspective
I don't agree (Score:2)
I don't know if I'd call Mark Zuckerberg *evil* per se...
Most sophisticated indeed (Score:2)
"TDL4, a rootkit that helps build a powerful botnet, is pegged by security vendor ESET as one of the most sophisticated pieces of malware in the world.
That we know about.
Stuxnet looked pretty mundane, on the surface. Anyone else wonder how many more such super-sophisticated malware are out there that we have no clue exists?
Re: (Score:1)
how about the bounty by the consortium of US tech companies on anyone involved in it? $300k, $400k?
http://en.wikipedia.org/wiki/Conficker#Response [wikipedia.org]
Computers must have an emergency-recovery (Score:4, Interesting)
Computers must have a way to boot to a guarenteed-audited environment for virus scanning.
Yes, I know that Windows 8 on computers that have "protected" BIOSes meet this requirement but I'm thinking something more general.
If you turn on a hardware switch labeled "I think I have a virus" and power on your computer, the boot sequence should be:
Protected BIOS preloader:
- audits (checks signature of) the BIOS, if signed AND has the "secure" bit set, lets it load, if not signed, loads read-only factory BIOS.
BIOS (or factory BIOS)
- audits (checks signature of) bootloader/OS loader from first available boot device. If signed and the "secure" bit is set, lets it load. If not goes on to next device in boot sequence.
and so on.
In many cases the user will be presented with "no secure boot device found, insert secure boot device and restart computer" error from the BIOS.
Inserting a signed vendor operating system install CD or live CD or rescue CD should do the trick.
Once the system is booted, security software can be downloaded, audited, and run.
Once the system is clean the user turns off the "I think I have a virus" switch and boots normally.
--
Yes, I know this won't cure a virus or rootkit that isn't DETECTED by current security software bit it will keep anything from getting a permanent (as in "throw your computer or drive away") foothold in a system AND it will make it relatively easy for the layman to get rid of such infections.
Re: (Score:2)
Isn't that partially what TPM does? I think my Thinkpad (heh) has an option to lock out the boot device if the boot sector or bios settings were altered without authenticating to the TPM.
Re: (Score:2)
I'd rather see a hardware failsafe with a manual override switch which resets the CPU whenever the SATA controller detects a write to a block below, say, 8. It should be done without using an interrupt. This way, an infection is prevented rather th
Re: (Score:1)
For what CPU architecture will the install/live/rescue OS be compiled?
That's like asking "for what CPU architecture will the OS be compiled"? - for the target machine.
If I'm a PC vendor and I'm selling Intel-compatible PCs with known motherboards, the rescue system will be one that can bootstrap to a stripped-down OS. If I'm a major vendor with close ties to Microsoft it will probably be a "live rescue DVD" provided to me by Microsoft. If I'm someone else it might be Linux or *nix-based.
It will have appropriate network drivers built in so it will be able to go out to a know
Re: (Score:1)
So your solution applies to the Compaqs and Dells but not custom-built PCs, I think the big vendors will just say something along the lines of "we include a free version of $shitty_antivirus, so we don't need this". And then continue to charge extra for support plans, so the "stupid tax" works (clueless customers pay extra).
A simple hardware solution without any software support would be far superior. Sometimes, the more low-tech the solution is the greater the chance that it'll actually work.
Re: (Score:1)
Well, it's not much worse for your data than your average kernel panic/BSOD/equivalent.
I say "not much worse" because some OSes do a good memory-dump when they panic and *conceivably* some data can be retrieved from that which would otherwise be lost on a computer reset.
Now, he did say CPU reset, which is far different than a computer reset. It also begs the question: Which CPU should be reset if there is more than one?
Re: (Score:1)
Good one. Maybe it's better to reverse the attack, kill the controller until it power cycles. The obvious downside is that the attack would still run and could still perform other steps to take over the boot process. But then, dealing with malware has always been a game of cat-and-mouse. You take the _least_ effort measure against today's malware, and then pass on the ball. A "perfect" solution would be absolutely devastating, because 30 years into the game the malware authors continue to remain one step ah
Re: (Score:1)
>>BIOS (or factory BIOS) .. you see the fail there ? Which factory did you have in mind ?
The goal is to recover from a post-point-of-sale infection or at least a post-factory-floor infection.
Defects like fixing deliberately-insecure factory-default BIOSes are outside of the scope of this solution.
The recommended solution for an otherwise-unrecoverable pre-sale infection involves purchasing a new computer and sending land-sharks or government consumer-watchdog authorities after the offending company.
Re: (Score:1)
Re: (Score:1)
This works fine as long as your BIOS hasn't been updated with an infected version.
Re: (Score:1)
http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/ [webroot.com]
It only affects Windows machines with Award BIOS's and seems to be pretty hard to get rid of. Maybe this level of infection will someday force Microsoft to consider implementing a permissions-based filesystem to reduce the possibility of this type of infection in the first place.
Cheapest/easiest solution: buy a new mobo.
You may also be able to flash a backup using a Linux
Good old days (Score:1)
So we're getting back to the good old days where you needed to wipe the first couple of megs of the disk with a MS debug trick and re-partition to get rid of some of the viruses.
Get with the program :) (Score:1)
So we're getting back to the good old days where you needed to wipe the first couple of megs of the disk with a MS debug trick
I think today's version is
dd if=/dev/zero of=/dev/sda bs=1M count=2
Windows 8 secure boot (Score:2)
Re: (Score:1)
Re: (Score:2)
(While I am sure that they are skilled enough to exploit latest privilege escalation bug in the linux kernel,) it still takes windows to give it access to the hardisk like that to begin with. This is ignoring that you have to get Linux to execute the code in first place.
MS hurting Linux to fix their own security problem makes it still easy to blame them.
Assuming the root kit keeps your home partition intact (you would not be turning your computer on to often if it did not) this should be easy enough to fix.
Re: (Score:1)
Among other things, yes. It does deter rootkits in a similar sense that having an omnipresent police state tends to deter thieves and muggers. Yet one wouldn't want to live in a police state, even if that meant there would be no thieves or muggers.
Re: (Score:2)
This.
Boot clean media from a thumbdrive.
"Oh look, a "sekrit" partition"
*delete*
Problem, malware writer?
--
BMO
What ? (Score:2)
A complete rewrite ? Don't these guys read Joel On Software ? They're going to ruin their ... oh, um carry on.
RE: (Score:4, Interesting)
If there is no free entry in the partition table then the malware reports to the C&C server and terminates.
So if you make sure you have 4 primary partitions created, you are essentially immune?
Re: (Score:1)
That is why we are moving to GPT. I guess that that would work until you get new computer.
Affected platforms .. (Score:2)
Easy workaround (Score:1)
Re: (Score:3, Interesting)
Good thing I'm gonna get a win8 machine with secure boot. Fuck these assholes.
That's what I was thinking. Then I thought, "Gee, this wasn't a big issue before but now that Windows 8 is going to have a feature to kill it, only then does major malware do this?" I hate to sound like a conspiracy nut, but this suggests that some arm of Microsoft might be involved in this. Knowing how Microsoft departments work (see "mexican standoff") it's not too far fetched to think that IF this were going on, 90% of the company wouldn't know.
On a more salient technical question...exactly how does malw
Re: (Score:1)
Every major OS now can shrink a mounted partition out of the box. OS X's partitioner has at least been able to do it since 2006 (it's used for Bootcamp). Windows added the ability with Windows 7 and I don't even know how long Parted has had that ability on Linux.
to bad that most business uses will make that lock (Score:3)
to bad that most business uses will make that lock down unworkable for quite some time.
* Most business are just moving over to windows 7 now and I don't see going to windows 8 any time soon.
* In house apps will take some time to move over to any kind of new ios style app store only system.
* anti trust laws
* Lot's of old software that business need.
* The use of vender systems with there own software / os's
* Lot's business don't use the OEM install and do there own but the secure boot system can let dell lock
live partition shrinking is not hard (Score:1)
exactly how does malware plan on installing a hidden boot partition?
In principle, it's not hard once you get control of the system.
Step 1. Get control of system. If this is a problem for your virus then it is lame. Don't bother with the rest, it's over your head.
Step 2. While the system is running seemingly normally, locate un-partitioned space. If there is enough skip to step 6.
Step 3. Locate space at the end of a primary partition. If needed move any user data and meta-data out of that space to elsewhere. Make sure the space remains unused until you finish step 4.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
So why don't good people write a program that can seek out these bad ones and kill them?
There are people who do, such as those who maintain Spybot Search and Destroy.
Re: (Score:2)