back to article 'Indestructible' rootkit enslaves 4.5m PCs in 3 months

One of the world's stealthiest pieces of malware infected more than 4.5 million PCs in just three months, making it possible for its authors to force keyloggers, adware, and other malicious programs on the compromised machines at any time. The TDSS rootkit burst on the scene in 2008 and quickly earned the begrudging respect of …

COMMENTS

This topic is closed for new posts.
  1. nyelvmark
    Alert

    Oh, shit.

    This is seriously scary.

    Is the internet doomed the way that the Euro is?

    Let's all go back to living in caves. If this goes on, we may not have a choice. In fact, I think I'm going to go looking for a suitable cave tomorrow. I'll need a few dozen rolls of aluminium foil, several tonnes of canned food, and some serious weaponry to keep other cave-hunters at bay.

    Punch-line to come.

    1. Anonymous Coward
      Happy

      Don't be that pessimist !

      First, move out of Windows monoculture. Before going back to living in caves, give Linux a try or even better, go directly with OpenBSD.

      Yes, I totally agree with you these OS are far from being so polished and full of features like Windows is right now but you still get a headache-free computing experience.

      1. Anonymous Coward
        Anonymous Coward

        headache free?

        really? is having to dive into an obsure text file located in one of many locations to change a minor config really not a headache?

        1. Anonymous Coward
          Anonymous Coward

          Re: headache free?

          Andrew C, I feel your pain brother. I hate working with the registry, boot.ini, win.ini, system.ini, /blah/blah/blah/hosts, etc too.

        2. El Cid Campeador
          Linux

          Uh...

          Easier than poking around in the registry--especially for people who, like a lot of my friends, don't know a hex from a USB mouse.

          "Okay open file thatapp.conf"

          "OK"

          "Find the line that says ThatSetting"

          "Wait... no... no... Oh I see it."

          "Change 'No' to 'Yes' and save the file"

          "OK... done. Wait, that's it? That was easy!"

          "Yep. That's why I made you buy me the beer first."

      2. Andy Jones

        Wrong

        @ AC 07:49

        Windows is far from being polished and full of features. I use Linux and it does everything I need it to do, and I use Windows at work and am constantly frustrated due to it missing things I need that are in Linux!

      3. John 104

        Headache free - sort of

        Yes, your security headache will be gone. To be replaced by a usability headache. :)

        For the record, I work both on windoze and nix systems.

    2. Anonymous Coward
      Facepalm

      RE: Oh, shit.

      The internet isn't doomed - this is just another example of "Windows security" at work!

    3. Getter lvl70 Druid
      Go

      Speaking of caves....

      I would absolutely love to build (dig? blast?) a Hobbit Burrow to live in and use geothermal power to take me off the grid. One day.......

      :)

    4. Andy Livingstone

      Doomed Euro?

      Right OK then, so the Euro is doomed. So why is the pound losing value against it on a daily basis? Tell me that Private Fraser.

  2. zeromastermind
    Devil

    Amazing info.

    I remember reading somewhere back a few months ago that researchers were able to install one of these advanced bootkits on a machine that was running full-system encryption via truecrypt - *one* round of AES. The story was surprising at the time because that was one of the few mitigations of the installation of these bootkits - the idea being that existing (truecrypt boot loader) code was already in the MBR and that overwriting any of it would render the system unbootable since the truecrypt boot loader would be hence corrupt and wouldn't even load. Apparently there was still enough free space in the MBR to write to after the truecrypt code ended.

    However, no one said anything about cascade encryption.

    If you had a combination of AES+Twofish+Serpent as your system encryption scheme - would that be enough to plug any holes in the MBR to prevent these bootkits from installing? Anyone?

    1. Michael Mokrysz

      Too big

      I'm talking more from intuition from knowledge, but surely it'd be more likely to just mess up the MBR than just stop the rootkit installing? Admittedly that tells you something's up, but by then it's probably too late.

    2. JeevesMkII
      Thumb Up

      Great solution...

      So, the solution to the problem of the nigh undetectable and ineradicable rootkit that will doubtless install stuff to bring your system to a crawl for all eternity is... to preemptively install stuff that will bring your system to a crawl for all eternity.

      Can't we just build a linux pre-loader for windows that zeroes the entire memory and then checks to see if anything on your windows partition has changed since last boot, and freaks the hell out if it has? That would probably be less of a pain in the arse.

      1. amanfromMars 1 Silver badge
        Thumb Up

        Re: Great solution

        Great solution, JeevesMkII.

      2. Steve Foster
        Facepalm

        @Great Solution...

        That's been commercially available for years. It's called Norton.

      3. El Cid Campeador
        Windows

        That would work if Windows made any sense

        Unfortunately Windows is constantly changing itself and tools that do that kind of thing tend to overwhelm you with false positives (and that's a shame). Maybe if it just looked at the MBR....

      4. spellucci

        Microsoft Standalone System Sweeper

        Microsoft has in beta a program called Standalone System Sweeper. It creates an ISO to boot from. When you do, it checks for rootkits that cannot be checked when booting from the MBR. See http://connect.microsoft.com/systemsweeper for details.

        1. Anonymous Coward
          Anonymous Coward

          Scan Before Use

          It took the porkers at MS long enough to get around to doing this, not like it is a new idea or anything. But at least they are finally doing it.

    3. Dr Trevor Marshall
      FAIL

      Mitigation? Detection?

      It is one thing to raise a warning. But an article on a pervasive rootkit, without any discussion of detection or mitigation measures, is worse than useless (IMO).

  3. nick47
    Trollface

    Lucky for me...

    I've got a Mac, and therefore can't get viruses.

    1. Miek
      Linux

      Yeah ...

      GLWT

    2. The Fuzzy Wotnot
      Stop

      So have I....

      In fact I have 4 Macs, except having used Windows for 10 years I am not a self-satisfied plank with a Jobs worship fetish! I am an IT realist and to borrow a quote, I know the price of a malware free machine is eternal vigilence, and that includes OSX and Linux. Being smug sanctimonious pillock will lead to a very big and painful fall for you my friend!

      1. CD001

        Pssst....

        [hint: did you not see the Troll icon?]

    3. John 104
      Thumb Up

      Hahaha

      Nice one! I see many here didn't get your joke though.

  4. 42
    FAIL

    Indestructable?

    Except by Kasperskys tdss killer. Removed it quite easily last week.

    1. Anonymous Coward
      Windows

      re: Removed it

      Are you sure it's gone? Are you sure you haven't been reinfected with a newer version?

  5. Head
    Thumb Down

    Hmmm

    I have been doing some rather mundane fixing of this thing recently.

    I *think* one solution is to always prompt for driver installations.

    Pretty typical of windows 7 though, putting looks and fancy menus and options everywhere, but really failing on the security side of things.

    1. CD001

      Win7

      ----

      Pretty typical of windows 7 though, putting looks and fancy menus and options everywhere, but really failing on the security side of things.

      ----

      Could be worst - at least it's possible to run Win7 in limited privileges mode; there's nowhere near as much badly written software, that requires Admin privileges, on Win7 as there has been on any previous version.

      I wouldn't say it was great but simply that it fails less hard that previous versions...

    2. John 104

      Disagree

      Out of the box Win7 is pretty tight. Its only when you start going in and disabling security features that it becomes vulnerable.

      And above all of the back and forth between the OSs, if you just practice safe computing, you won't have to deal with any of this crap. Don't click links in emails that you weren't expecting, don't visit port or wares sites, question every pop up, never click YES. Been doing it for years with great success. Even my wife and kids are good at it these days. It isn't rocket science.

  6. davenewman

    Does it kill grubs?

    if the MBR contains GRUB or LILO instead of a Windows MBR?

  7. Destroy All Monsters Silver badge
    Holmes

    ad-hoc DHCP servers?

    Hmmm.... I better check out those bizarre flip-flops I have seen recently around here. I thought it was just the iPhones behaving crappily, but who knows.

  8. Version 1.0 Silver badge
    Happy

    SSDD - Darwin in action

    Early life forms evolve, and eat the lesser evolved for lunch.

    If it's blacklisting other virus servers then it should be fairly easy to see if you're infected ... then I say we take off and nuke the site from orbit. It's the only way to be sure... I believe that's the new US policy and I'd guess that we'd only have to do it a couple of times before the lads from Latvia got the message.

  9. Rombizio
    Linux

    Well...

    As long as my Linux Mint is safe, I couldn't care less.

    1. Peter Murphy
      Thumb Down

      Smugness is an enemy of security.

      Rootkits exist for Linux as well. This is eight year old information, but the principle should remain.

      http://www.sans.org/reading_room/whitepapers/linux/linux-rootkits-beginners-prevention-removal_901

      "There are many different versions of rootkits that perform basically the same function. Well known Linux rootkits include LRK, tOrn, and Adore and some Windows Rootkits include NTROOT, NTKap, and Nullsys...

      Not only are rootkits designed to hide the presence of an attacker; they are also used to gain future administrator-level (root) access, launch distributed denial of service (ddos), or obtain financial or confidential information."

      The article goes on to mention that rootkits overwrites common commands such as ps and netstat to hide rooted activity.

      I'd agree that it is harder to get a nasty process to overwrite the MBR than it is for Windows, and that it is easier to detect afterward. Never the less, if the MBR is infected by any process on the machine (including Windows, if you are running dual boot) then you really have problems!

    2. Anonymous Coward
      FAIL

      re: I couldn't care less

      So when the botnet takes down a service you want to use, or just generally clogs up the interwebs, your Linux Mint will magically overcome this how?

    3. El Cid Campeador
      Linux

      You should care

      I use (and love) Mint as well but we do CANNOT be complacent. In the first place, while Linux is head and shoulders above Windows and/or OSX, it is not perfect nor unassailable--and tools that exist to attack Linux servers can be used to attack Linux desktops.

      That being said, if we do pay attention to the threat and encourage the community to improve security, there's no reason we can't stay out of the realm of low-hanging fruit or even (gasp) produce a reasonably secure operating system.

  10. Geoff Edwards

    Indestructible? And almost inifinite waste of time and money!

    It's a great shame that all the money that is being spent to combat these deliberate attacks on people, that's everyone, East and West whatever their nationality, whatever their religion, whatever their political belief is being wasted. This attack and other attacks is in reality an utter waste of precious treasure that could be better spent on helping people to have a decent, rather than a squalid life. It's not just the money but the time we are all wasting on protecting our systems from these attacks or rather cleaning out their evil residue. It's not as if one can isolate one's computer from the outside world either. Has anyone calculated just how much money is being spent on protecting us? Back in the good old days it was just the Stoned Virus that one had to contend with!

  11. Anonymous Coward
    Joke

    GPL?

    Doesn't this thing have some GPL code in it? Maybe we can get them into court for breaking the terms of the GPL license, plus ask them to hand back some of their code as suggested by the GPL?

  12. Mage Silver badge

    gmer

    bottom of page

    http://www2.gmer.net/rootkits.php

  13. Ben Bawden

    Title goes here

    So how would one go about removing such an infection?

    1. Dr. Mouse

      More importantly...

      ...how does one go about DETECTING such an infection?

      I you know it's there, you can always do something about it (even if it means reinstalling every single machine from scratch in a controlled manner). If you don't know there's a problem, you won't fix it.

    2. El Cid Campeador
      Mushroom

      Nuke the site from orbit...

      ...it's the only way to be sure.

      DoD wipe the whole drive and reinstall from clean media-- and hope you've got a good data backup.

  14. bombastic
    Boffin

    The end is nigh

    We're doomed, DOOMED I tell ya!

    Viruses that disable other viruses, corkers, the virus software is cleverer than the Anti-virus software, come to think of it it's also cleverer than the OS (Windows 7 that is).

    Let's all move to the cloud cos it's dead safe so it is.

  15. Anonymous Coward
    Trollface

    Shurely that should be Master Book Record?

    This one will run and run...

  16. Wilco 1
    Flame

    Definitely the worst virus I've ever encountered

    My XP computer was infected by this - I knew something was there as I noticed slight changes in behaviour and yet my computer was clean according to every anti virus I tried. Booting in safe mode and disabling all startup programs in msconfig (which gets rid of 99% of viruses) didn't work. Searching for recently changed .dll/.exe didn't give any clue either. It had infected the keyboard driver to load the main payload which was saved in some unused sectors. It installed a low-level drive filter to ensure that those sectors are read as zeroes. It then loads the original driver. As it is also encrypted in memory, no anti virus programs can detect it. Eventually I found out about TDSSKiller while searching for undetectable rootkits, which did confirm it was there and wipe it out.

    This one wasted me a good few hours, especially since all the anti virus software was totally useless. The really worrying thing is that most users wouldn't have noticed something was wrong in the first place, and even if they did, running the latest anti virus software would convince them there is no infection after all...

    1. Paul Crawford Silver badge

      @Wilco 1

      Clearly a case for a boot-CD like the bit defender one?

      Never had the misfortune to deal with this malware, but a clean boot should help.

      Oh, until the bad guys also get round to flashing your BIOS...

      Which reminds me of another rant, why can't the dumb buggers who design motherboards have a switch/jumper to enable BIOS updates? (default = locked, of course)

      And why can BIOS provide a report of the boot area so you know it has changed? Yes locking it down as in "trusted boot" is a pain and not something I want as it would piss off Tux no end, but at least offering you the SAH-1 hash history (or similar) of the sectors used for booting would let you know if something had been changed and so if a boot/clean CD was worth trying pre-emptively.

      1. Anonymous Coward
        Anonymous Coward

        MBR block

        I'm sure I there were bios's 10 years ago, that used to report/prompt for write, or block any attempt to write to the MBR - where have they gone?

        1. El Cid Campeador
          Facepalm

          But but but but

          That was inconvenient! You had to open your case and set a jumper to flash the BIOS! The horror! The horror! Yep, convenience strikes again.

  17. Dan Mansfield
    Pirate

    Physical

    Agree, I believe that the only way to protect the boot sector would be to have on an EEPROM which has a physical switch (like a usb flash drive that has a read only switch). Bastards can't infect it then.

  18. Anonymous Coward
    Anonymous Coward

    A really easy determination is needed

    I get user after user after user asking me, "How do I tell if I'm infected?" so if there was a really easy internet site that could check IPs against those recorded as being members of a botnet, that could be a real bonus for some people who ... to be honest ... no longer trust their anti-virus solution.

  19. Anonymous Coward
    Anonymous Coward

    Would this work?

    "Additional changes include a new antivirus feature that rids TDSS-infected machines of 20 rival malware titles, including ZeuS, Gbot, and Optima. It also blacklists the addresses of command and control servers used by these competing programs to prevent them from working properly."

    So, in order to detect TDSS, why not intentionally infect your system with enough of the signature from the 20 rival malware products. The malware you use would look like the real thing, but be inert. If you have TDSS on your system, it will react by attempting to clear out the rival malware. I got the idea thinking about the smallpox vaccine. It uses an inert virus to trick the body into producing anti-bodies to defeat the real virii.

    1. Mike Hocker
      Boffin

      Phagekit

      Or why not install a low level driver (a phagekit if you will) of your own, such that TDSS identifies a key piece of itself for destruction.... if the piece is system unique (i.e., only critical for TDSS and not for WinCrap/FanBois/Nix) it would be a lead bullet solution (leaves dead bodies around, vs. silver bullet when everything is pristine afterwards). Of course the response by TDSS drones would be to locate TDSS somewhere critical so the phage becomes fatal... but at least you aren't infected anymore!

      Or have TDSS add its own control servers to its own blacklist... always a busy signal.

  20. Anonymous Coward
    WTF?

    "DoD wipe the whole drive"

    How many readers still don't realise that this business of "DoD wiping" (multiple passes over the every block with different patterns of data, to ensure any "remanent magnetism" is erased) has been irrelevant since drives were bigger than a few dozen MB ?

    1. Daniel 4
      Boffin

      @AC 15:54

      "How many readers still don't realise that this business of "DoD wiping" (multiple passes over the every block with different patterns of data, to ensure any "remanent magnetism" is erased) has been irrelevant since drives were bigger than a few dozen MB ?"

      Um, most?

      Of course, it depends on exactly why you say it's not an issue, but the most obvious one is that the encoding methods these days are radically different. The original "DoD wiping" algorithm was written with a specific couple of drive types in mind, intended to do maximum amount of damage to the original data. Multiple pass overwrites MIGHT still be useful, but there's really nothing to be gained from writing that particular pattern anymore. I have read papers suggesting tossing in a pass of random data between a pass of ones and a pass of zeros can be worthwhile, but the efficacy of even that is almost certainly still drive specific.

      Short version: It takes an amazing amount of resources to try to get /anything/ off of a simple couple passes of ones and zeros. Anything that is going to be recovered will probably be recovered no matter what you do with software, so if you're really paranoid, physically destroy the drive. Personally, I've never been that paranoid on my home drives - I don't want people reading my private life, banking records, etc., but it's never been worth melting the platters down in the off chance the FBI would get a bee in their bonnet.

      -d

      1. Anonymous Coward
        Thumb Up

        Nice writeup Daniel

        AC 15:54 again

        Nice writeup.

        Most of the readers who don't know "DoD wipe is irrelevant" hopefully won't make themselves look silly by trying to sound impressive (and being wrong). Hopefully now more of them know it is irrelevant, and why.

        "the encoding methods these days are radically different."

        That and the radically different track following methods in anything but antique drives, which mean that there's little chance of retrieving data by positioning the read head slightly "off track", which is part of what "DoD erase" was meant to deal with.

        I'm convinced it's a major miracle we get any data off these things at all.

        Mind you the DoD themselves probably still insist on DoD erase.

        Let's be careful out there.

      2. Anonymous Coward
        Boffin

        Destroying Data

        I prefer physical destruction, a couple of minutes in a hydraulic press and only the infinite resources of the Iranian Guard redirected from the navel gazing pursuit of tying 2000 knots/inch in Persian carpets will recover the data.

        If I were truly paranoid though, raising the oxide to the curie temperature is the way to go. Merely melting the platter may not be enough.... depending on the oxide used.

        If a resource recovery site is available nearby, one could also watch the drive tossed into an arc furnace. But you usually have to have faith that they really did throw the drive into the waste stream... and that just isn't good enough when paranoia runs deep. Can you really trust that the minimum wage grunt isn't on the &blackhelo payroll? Or even just a wannabe cracker in his/her spare time?

  21. Will Godfrey Silver badge
    Unhappy

    Maybe

    Grub and LILO could be modified so that on installation they filled the whole of the MBR with pseudo-random data, then created a hash of it for subsequent boot tests. If the very first bit of data on the record was also a jump to an actual address somewhere in the middle of this crap the virus would have to do a *lot* of work to hide in there.

    Disclaimer

    I know nothing!

  22. Martin 50
    Paris Hilton

    GNU

    I laughed when halfway through the Securelist article it said:

    However, the system does face [two] major obstacles:

    ...

    2. When developing the kad.dll module for maintaining communication with the Kad network, code with a GPL license was used — this means that the authors are in violation of a licensing agreement.

    They are malware authors/distributors, FFS; adding a charge of annoying some open-sourcers seems to be like adding a littering charge to a burglary prosecution! Plus 'major obstacle' to what exactly - selling it in PC World??

    (Paris, as she also has two major obstacles to face.)

  23. Dave Lawton
    Holmes

    Test for / Remove the root kit?

    Go to http://support.kaspersky.com/faq/?qid=208283363

    Currently V2.5.8.0 dated Jun 28 2011

    So should deal with the latest version.

  24. Anonymous Coward
    Facepalm

    CleanDNS

    So why doesn't someone sell a service that has a clean DNS with a nice whitelist?

    Yes, it would need an external box in the network path [because the Intel/AMD boxes just can't be trusted by themselves, even TPM is inadequate], and IP addresses would be sent to the cleanDNS also for reverse checking.

    OK, so the crackers would change to infecting white list sites with malware to let them behave as control points in addition to whatever their normal use was... and fast flux to evade the laggardly updating of the cleanDNS.

    Rats, another solution that won't work.

  25. Mixtlupus
    Angel

    Removal

    Not only is this virus a right pain in the proverbial but it's a pain to get rid of too, took me almost a day to work out how to get the little tyke off of an infected PC for one of our customers (though admittedly most that time was running various virus/malware scanners that had little or no effect), a college resorted to FDisking a PC a week earlier, just glad I managed to clean the latest one.

    Out of interest a lot of BIOSes have a boot sector protection option that should be enabled once windows is installed (even a lot of old AMIBIOS systems had this 10 years ago), this would prevent infection of the bootsector, halt the system when an infection attempts to take place and pipe an error straight to the Graphics card & internal beeper :)

  26. Bluey1701

    Cut the Windows v Linux crap

    Have worked in the IT Security industry for over 30 years now, and the only reason Windows is targetted is down to numbers. Creators of these rootkits are in it for PROFIT only.

    Were Linux or Mac to hold a 90% share of all home OS's, it would be targetted by and hammered with just as much malware as Windows is now, whilst the Windows owning minority would be crowing about how secure and trouble free their OS was.

    Please lets make it clear, from the point of view of this Security expert, ALL operating systems are vulnerable to a determined enough attacker. Mac and Linux have just as many weaknesses as Windows, but it's not as worth while in terms of money to target them when trying to infect home based systems.

    As was pointed out earlier, Eternal Vigilance is the only answer. If you beleive you're safe because you run Linux, you are delusional.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021