back to article 'Indestructible' rootkit enslaves 4.5m PCs in 3 months

One of the world's stealthiest pieces of malware infected more than 4.5 million PCs in just three months, making it possible for its authors to force keyloggers, adware, and other malicious programs on the compromised machines at any time. The TDSS rootkit burst on the scene in 2008 and quickly earned the begrudging respect of …


This topic is closed for new posts.


  1. nyelvmark

    Oh, shit.

    This is seriously scary.

    Is the internet doomed the way that the Euro is?

    Let's all go back to living in caves. If this goes on, we may not have a choice. In fact, I think I'm going to go looking for a suitable cave tomorrow. I'll need a few dozen rolls of aluminium foil, several tonnes of canned food, and some serious weaponry to keep other cave-hunters at bay.

    Punch-line to come.

    1. Anonymous Coward

      Don't be that pessimist !

      First, move out of Windows monoculture. Before going back to living in caves, give Linux a try or even better, go directly with OpenBSD.

      Yes, I totally agree with you these OS are far from being so polished and full of features like Windows is right now but you still get a headache-free computing experience.

      1. Anonymous Coward
        Anonymous Coward

        headache free?

        really? is having to dive into an obsure text file located in one of many locations to change a minor config really not a headache?

        1. Anonymous Coward
          Anonymous Coward

          Re: headache free?

          Andrew C, I feel your pain brother. I hate working with the registry, boot.ini, win.ini, system.ini, /blah/blah/blah/hosts, etc too.

        2. El Cid Campeador


          Easier than poking around in the registry--especially for people who, like a lot of my friends, don't know a hex from a USB mouse.

          "Okay open file thatapp.conf"


          "Find the line that says ThatSetting"

          "Wait... no... no... Oh I see it."

          "Change 'No' to 'Yes' and save the file"

          "OK... done. Wait, that's it? That was easy!"

          "Yep. That's why I made you buy me the beer first."

      2. Andy Jones


        @ AC 07:49

        Windows is far from being polished and full of features. I use Linux and it does everything I need it to do, and I use Windows at work and am constantly frustrated due to it missing things I need that are in Linux!

      3. John 104

        Headache free - sort of

        Yes, your security headache will be gone. To be replaced by a usability headache. :)

        For the record, I work both on windoze and nix systems.

    2. Anonymous Coward

      RE: Oh, shit.

      The internet isn't doomed - this is just another example of "Windows security" at work!

    3. Getter lvl70 Druid

      Speaking of caves....

      I would absolutely love to build (dig? blast?) a Hobbit Burrow to live in and use geothermal power to take me off the grid. One day.......


    4. Andy Livingstone

      Doomed Euro?

      Right OK then, so the Euro is doomed. So why is the pound losing value against it on a daily basis? Tell me that Private Fraser.

  2. zeromastermind

    Amazing info.

    I remember reading somewhere back a few months ago that researchers were able to install one of these advanced bootkits on a machine that was running full-system encryption via truecrypt - *one* round of AES. The story was surprising at the time because that was one of the few mitigations of the installation of these bootkits - the idea being that existing (truecrypt boot loader) code was already in the MBR and that overwriting any of it would render the system unbootable since the truecrypt boot loader would be hence corrupt and wouldn't even load. Apparently there was still enough free space in the MBR to write to after the truecrypt code ended.

    However, no one said anything about cascade encryption.

    If you had a combination of AES+Twofish+Serpent as your system encryption scheme - would that be enough to plug any holes in the MBR to prevent these bootkits from installing? Anyone?

    1. Michael Mokrysz

      Too big

      I'm talking more from intuition from knowledge, but surely it'd be more likely to just mess up the MBR than just stop the rootkit installing? Admittedly that tells you something's up, but by then it's probably too late.

    2. JeevesMkII
      Thumb Up

      Great solution...

      So, the solution to the problem of the nigh undetectable and ineradicable rootkit that will doubtless install stuff to bring your system to a crawl for all eternity is... to preemptively install stuff that will bring your system to a crawl for all eternity.

      Can't we just build a linux pre-loader for windows that zeroes the entire memory and then checks to see if anything on your windows partition has changed since last boot, and freaks the hell out if it has? That would probably be less of a pain in the arse.

      1. amanfromMars 1 Silver badge
        Thumb Up

        Re: Great solution

        Great solution, JeevesMkII.

      2. Steve Foster

        @Great Solution...

        That's been commercially available for years. It's called Norton.

      3. El Cid Campeador

        That would work if Windows made any sense

        Unfortunately Windows is constantly changing itself and tools that do that kind of thing tend to overwhelm you with false positives (and that's a shame). Maybe if it just looked at the MBR....

      4. spellucci

        Microsoft Standalone System Sweeper

        Microsoft has in beta a program called Standalone System Sweeper. It creates an ISO to boot from. When you do, it checks for rootkits that cannot be checked when booting from the MBR. See for details.

        1. Anonymous Coward
          Anonymous Coward

          Scan Before Use

          It took the porkers at MS long enough to get around to doing this, not like it is a new idea or anything. But at least they are finally doing it.

    3. Dr Trevor Marshall

      Mitigation? Detection?

      It is one thing to raise a warning. But an article on a pervasive rootkit, without any discussion of detection or mitigation measures, is worse than useless (IMO).

  3. nick47

    Lucky for me...

    I've got a Mac, and therefore can't get viruses.

    1. Miek

      Yeah ...


    2. The Fuzzy Wotnot

      So have I....

      In fact I have 4 Macs, except having used Windows for 10 years I am not a self-satisfied plank with a Jobs worship fetish! I am an IT realist and to borrow a quote, I know the price of a malware free machine is eternal vigilence, and that includes OSX and Linux. Being smug sanctimonious pillock will lead to a very big and painful fall for you my friend!

      1. CD001


        [hint: did you not see the Troll icon?]

    3. John 104
      Thumb Up


      Nice one! I see many here didn't get your joke though.

  4. 42


    Except by Kasperskys tdss killer. Removed it quite easily last week.

    1. Anonymous Coward

      re: Removed it

      Are you sure it's gone? Are you sure you haven't been reinfected with a newer version?

  5. Head
    Thumb Down


    I have been doing some rather mundane fixing of this thing recently.

    I *think* one solution is to always prompt for driver installations.

    Pretty typical of windows 7 though, putting looks and fancy menus and options everywhere, but really failing on the security side of things.

    1. CD001



      Pretty typical of windows 7 though, putting looks and fancy menus and options everywhere, but really failing on the security side of things.


      Could be worst - at least it's possible to run Win7 in limited privileges mode; there's nowhere near as much badly written software, that requires Admin privileges, on Win7 as there has been on any previous version.

      I wouldn't say it was great but simply that it fails less hard that previous versions...

    2. John 104


      Out of the box Win7 is pretty tight. Its only when you start going in and disabling security features that it becomes vulnerable.

      And above all of the back and forth between the OSs, if you just practice safe computing, you won't have to deal with any of this crap. Don't click links in emails that you weren't expecting, don't visit port or wares sites, question every pop up, never click YES. Been doing it for years with great success. Even my wife and kids are good at it these days. It isn't rocket science.

  6. davenewman

    Does it kill grubs?

    if the MBR contains GRUB or LILO instead of a Windows MBR?

  7. Destroy All Monsters Silver badge

    ad-hoc DHCP servers?

    Hmmm.... I better check out those bizarre flip-flops I have seen recently around here. I thought it was just the iPhones behaving crappily, but who knows.

  8. Version 1.0 Silver badge

    SSDD - Darwin in action

    Early life forms evolve, and eat the lesser evolved for lunch.

    If it's blacklisting other virus servers then it should be fairly easy to see if you're infected ... then I say we take off and nuke the site from orbit. It's the only way to be sure... I believe that's the new US policy and I'd guess that we'd only have to do it a couple of times before the lads from Latvia got the message.

  9. Rombizio


    As long as my Linux Mint is safe, I couldn't care less.

    1. Peter Murphy
      Thumb Down

      Smugness is an enemy of security.

      Rootkits exist for Linux as well. This is eight year old information, but the principle should remain.

      "There are many different versions of rootkits that perform basically the same function. Well known Linux rootkits include LRK, tOrn, and Adore and some Windows Rootkits include NTROOT, NTKap, and Nullsys...

      Not only are rootkits designed to hide the presence of an attacker; they are also used to gain future administrator-level (root) access, launch distributed denial of service (ddos), or obtain financial or confidential information."

      The article goes on to mention that rootkits overwrites common commands such as ps and netstat to hide rooted activity.

      I'd agree that it is harder to get a nasty process to overwrite the MBR than it is for Windows, and that it is easier to detect afterward. Never the less, if the MBR is infected by any process on the machine (including Windows, if you are running dual boot) then you really have problems!

    2. Anonymous Coward

      re: I couldn't care less

      So when the botnet takes down a service you want to use, or just generally clogs up the interwebs, your Linux Mint will magically overcome this how?

    3. El Cid Campeador

      You should care

      I use (and love) Mint as well but we do CANNOT be complacent. In the first place, while Linux is head and shoulders above Windows and/or OSX, it is not perfect nor unassailable--and tools that exist to attack Linux servers can be used to attack Linux desktops.

      That being said, if we do pay attention to the threat and encourage the community to improve security, there's no reason we can't stay out of the realm of low-hanging fruit or even (gasp) produce a reasonably secure operating system.

  10. Geoff Edwards

    Indestructible? And almost inifinite waste of time and money!

    It's a great shame that all the money that is being spent to combat these deliberate attacks on people, that's everyone, East and West whatever their nationality, whatever their religion, whatever their political belief is being wasted. This attack and other attacks is in reality an utter waste of precious treasure that could be better spent on helping people to have a decent, rather than a squalid life. It's not just the money but the time we are all wasting on protecting our systems from these attacks or rather cleaning out their evil residue. It's not as if one can isolate one's computer from the outside world either. Has anyone calculated just how much money is being spent on protecting us? Back in the good old days it was just the Stoned Virus that one had to contend with!

  11. Anonymous Coward


    Doesn't this thing have some GPL code in it? Maybe we can get them into court for breaking the terms of the GPL license, plus ask them to hand back some of their code as suggested by the GPL?

  12. Mage Silver badge


    bottom of page

  13. Ben Bawden

    Title goes here

    So how would one go about removing such an infection?

    1. Dr. Mouse

      More importantly... does one go about DETECTING such an infection?

      I you know it's there, you can always do something about it (even if it means reinstalling every single machine from scratch in a controlled manner). If you don't know there's a problem, you won't fix it.

    2. El Cid Campeador

      Nuke the site from orbit...'s the only way to be sure.

      DoD wipe the whole drive and reinstall from clean media-- and hope you've got a good data backup.

  14. bombastic

    The end is nigh

    We're doomed, DOOMED I tell ya!

    Viruses that disable other viruses, corkers, the virus software is cleverer than the Anti-virus software, come to think of it it's also cleverer than the OS (Windows 7 that is).

    Let's all move to the cloud cos it's dead safe so it is.

  15. Anonymous Coward

    Shurely that should be Master Book Record?

    This one will run and run...

  16. Wilco 1

    Definitely the worst virus I've ever encountered

    My XP computer was infected by this - I knew something was there as I noticed slight changes in behaviour and yet my computer was clean according to every anti virus I tried. Booting in safe mode and disabling all startup programs in msconfig (which gets rid of 99% of viruses) didn't work. Searching for recently changed .dll/.exe didn't give any clue either. It had infected the keyboard driver to load the main payload which was saved in some unused sectors. It installed a low-level drive filter to ensure that those sectors are read as zeroes. It then loads the original driver. As it is also encrypted in memory, no anti virus programs can detect it. Eventually I found out about TDSSKiller while searching for undetectable rootkits, which did confirm it was there and wipe it out.

    This one wasted me a good few hours, especially since all the anti virus software was totally useless. The really worrying thing is that most users wouldn't have noticed something was wrong in the first place, and even if they did, running the latest anti virus software would convince them there is no infection after all...

    1. Paul Crawford Silver badge

      @Wilco 1

      Clearly a case for a boot-CD like the bit defender one?

      Never had the misfortune to deal with this malware, but a clean boot should help.

      Oh, until the bad guys also get round to flashing your BIOS...

      Which reminds me of another rant, why can't the dumb buggers who design motherboards have a switch/jumper to enable BIOS updates? (default = locked, of course)

      And why can BIOS provide a report of the boot area so you know it has changed? Yes locking it down as in "trusted boot" is a pain and not something I want as it would piss off Tux no end, but at least offering you the SAH-1 hash history (or similar) of the sectors used for booting would let you know if something had been changed and so if a boot/clean CD was worth trying pre-emptively.

      1. Anonymous Coward
        Anonymous Coward

        MBR block

        I'm sure I there were bios's 10 years ago, that used to report/prompt for write, or block any attempt to write to the MBR - where have they gone?

        1. El Cid Campeador

          But but but but

          That was inconvenient! You had to open your case and set a jumper to flash the BIOS! The horror! The horror! Yep, convenience strikes again.

  17. Dan Mansfield


    Agree, I believe that the only way to protect the boot sector would be to have on an EEPROM which has a physical switch (like a usb flash drive that has a read only switch). Bastards can't infect it then.

  18. Anonymous Coward
    Anonymous Coward

    A really easy determination is needed

    I get user after user after user asking me, "How do I tell if I'm infected?" so if there was a really easy internet site that could check IPs against those recorded as being members of a botnet, that could be a real bonus for some people who ... to be honest ... no longer trust their anti-virus solution.


This topic is closed for new posts.

Other stories you might like

Biting the hand that feeds IT © 1998–2022