This week's big cyber news comes packing quite a headline: More than four million PCs have been infected by a malicious program known as TDL-4, a botnet that is so sneaky, so evasive, so hard to detect and disinfect that it is "practically indestructible." That quote comes courtesy of security researchers Sergey Golovanov and Igor Soumenkov of Kaspersky Labs, a cyber security firm and maker of anti-virus software. It's a scary thought: a botnet so sophisticated that it can't be detected and dismantled. But is it true?
There's no question that Golovanov and Soumenkov know their stuff, and their analysis of the emerging TDL-4 threat is thorough. But can a malicious program really be indestructible?
What is TDL-4?
TDL-4 is the fourth generation of the TDL malware (Kapersky also identifies the family as TDSS), and Golovanov and Soumenkov call it "the most sophisticated threat today." In that, we can likely agree with them. TDL-4 packs all kinds of neat/scary tricks to conceal itself deep within hard drives, evading most virus scanning software as well as more proactive detection methods. It communicates in encrypted code, and contains a serious rootkit component--a rootkit being a program that allows an operator access to a computer even while hiding itself from the user, network administrators and automated security measures.
TDL-4 isn't one itself, but it's malicious because it facilitates the creation of a botnet--a network of infected computers that can be used in concert to carry out tasks like distributed denial-of-service attacks (which have been used to take down many major servers, including The Pirate Bay, Twitter, Facebook, and MasterCard.com), the installation of adware and spyware, or spamming. It currently has 4.5 million machines under its control and counting. The infecting file is usually found lurking around adult sites, pirated media hubs, and video and media storage sites.
What Makes It "Indestructible?"
Golovanov and Soumenkov summarize this nicely: "The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down. The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and antivirus companies."
First things first: location, location, location. Once inside, TDL-4 takes up residence in the master boot record (MBR), which means it can run before the computer is actually booted up. The MBR is also rarely combed over by a standard anti-virus scanner, giving TDL added invisibility.
Then, TDL-4 does something else quite clever: it runs its own anti-virus program. The software contains code to remove around 20 of the most common malicious programs, wiping an infected machine clean of everyday malware that might draw a user's attention or cause an administrator to take a closer look. It can then download whatever malicious software it wants to in the place of the deleted programs. This version of TDL-4 also has added modules, like one that "fraudulently manipulates advertising systems and search engines" and another that establishes proxy servers on infected machines, which can be used to facilitate and hide other malicious cyber actions.
But critical to TDL-4's indestructibility is the way it communicates between bots. There are a few things at play here. First, and perhaps most central, is a clever algorithm that encrypts the communication protocol between bots and the botnet command. This makes it virtually pointless to monitor traffic between the command server and infected machines.
But couldn't you trace those commands, encrypted though they may be, back to the source to catch the bad guys? TDL-4 has a trick up its sleeve here as well, this time in the form of a public peer-to-peer file sharing network called Kad. TDL-4's creators can issue several commands to their bot machines over this P2P network. This is key, because it means that if TDL-4's command servers get shut down, the program's creators can still access all the infected machines out there. In essence, command servers aren't really necessary at all. Destroying TDL-4 at the source is more or less impossible, because the source is distributed across the botnet network. There really is no single source.
But Is It Really "Indestructible?"
Writing for Infoworld today, Roger Grimes makes a valid point: "As a 24-year veteran of the malware wars, I can safely tell you that no threat has appeared that the antimalware industry and OS vendors did not successfully respond to. It may take months or years to kill off something, but eventually the good guys get it right."
Grimes' approach is the level-headed one. At one point Conficker was going to destroy the entire Internet as we knew it, but here we are today getting our daily dose of carefree lulz on the Web. TDL-4 will continue to confound and frustrate security experts for years most likely. But this too shall pass.
But that doesn't mean Golovanov and Soumenkov are necessarily wrong to call TDL-4 "indestructible." Perhaps the most noteworthy part of its title is the "4." It's just one bad seed in a malicious multigenerational family.
"We have reason to believe that TDSS will continue to evolve," they write. "The fact that TDL-4 code shows active development — a rootkit for 64-bit systems, the malware running prior to operating system start launches, the use of exploits from Stuxnet's arsenal, P2P technology, its own 'antivirus' and a lot more — place TDSS firmly in the ranks of the most technologically sophisticated, and most complex to analyze, malware."
That is, until TDL-5.
this is fantastic, millions of dollars poured into making the best, strongest and most secure computing clouds.
black hat hackers do it in half the time on a comparatively zero budget.
America is heading towards a revolution, I have no doubt a good part of it will be fought or at least facilitated on the internet.
to mars or bust!
If you seriously believe these sophisticated viruses are created by unpaid hackers, then you need to wise up a bit. This is no doubt a creation of a highly skilled organization, most likely with government funding backing it in whatever country the creators are based in which is most likely not the US since we're the obvious target.
Note this moment in history for today the goddess Jane is born.
Sounds like Skynet
it's funny how many computer virus can actually be manufactured by antivirus employees themselves working on the sly..
it's not a very new marketing strategy anyway, manufacturing diseases and then selling us the cure..
some of the virus makers might even come from the folks who created the OS themselves. given their familiarity with the vulnerabilities of their own system.
and at the same time, these are the same folks we rely upon to give us the cure.
or perhaps it's just part of a bigger marketing strategy or perhaps even their own political agendas.. (ie: what was the purpose of attacking Pirate Bay anyway? if not political)
so my question is.. who watches the watchmen?
it's just obvious that viruses will continue to exist for as long as we don't adopt transparency and open source.
I have over 12 years under my belt on pc's. Nothing fancy, no degrees, but I know my stuff. I bet anyone that this can be beaten simply. I bet there is more than 1 approach that can beat this. I can think of a few experimental ideas that would most likely work. Come on guys, this is nothing.
Oh man, your reference is pure win. And here I was, thinking I'm the only one seeing the similarity between this and the AI in Ender's Game. I award you 100 internets and 100 scifi's.
This is going to be a situation where you fight fire with fire. A search and destroy bot/worm could be created to follow the infection and wipe it out on it's journey, infecting the same machines that are infected, spreading, and being algorithmically adapted along the way using the same setup as the current threat, and eventually infecting one of the "Patient Zero" origin systems and notifying the proper authorities.
Sure Matt1985, all you need is to convince about 2 billion individuals and another billion corporate computers to learn how to fully operate their computer... to obtain a secured dedicated flash drive or CD with the specific detection and removal software installed and ensure that the hardware boots from the antivirus before even accessing the HDD and then preventing the bot from being reinstalled as soon as internet access is re-established... simple enough once you convince the entire global internet using population to do it.
So how is this malicious?
It certainly appears to be potentially malicious, but if I read this correctly they have no idea what it actually does. Collect bank account passwords? It obviously does nothing overt like wipe out hard drives, and in fact is beneficial by removing other viruses.
Maybe it does nothing except spread itself and wait for instructions on what to do.
If it takes years to wipe out TDL-4 then the whole planet is at risk until then.
Time for an international body to be created and to offer rewards for anybody who can give info on the creators. Those don't do this kind of thing just to waste their time and are likely to brag about their exploits.
If caught, lifelong for other people's time wasted.
The rootkit is easy to remove, especially if there were no modifications made to the system and this method applies if all other removal methods failed. Using recovery disc from Microsoft and command prompt commands seem to fail to clear the MBR completely.
Download MBRTool.exe and burn a copy on a blank CD.
Print out a copy of the manual that comes with the MBRTool, it will be handy later.
Download a recovery disc from Microsoft for a corresponding operating system.
Restart your computer and boot into the CD.
Follow the instructions on the screen and the manual and view the MBR record.
Wipe the entire MBR record.
View MBR record to make sure there is nothing but zeros.
Remove the MBRTool disc and insert Windows Recovery disc.
Run Startup Recovery.
The Windows will be able to start but not completely boot.
Remove the disc, and now run Startup recovery from the Windows menu.
After it finishes - restart and the rootkit is gone.
I hope it helps.
What we need is a $50 iris scanner that hooks on to your computer--and you can't send if you don't scan--tied to reat time. Likewise you can't get a message without scanning yourself. It would stop it dead.
Robert1234: There is no likely solution to stopping computers being infected. The solution is to stop the infections from being effective; that is, stop their actions form having consequences for others. When that is accomplished, there will be no purpose for contaminating our computers. For example, I cannot understand why DDS works at all. When a computer is overloaded with requests, why can't the program simply begin to process each item by sequence as it arrived and place all others in abeyance? It's utterly stupid that excessive requests can shut anything down. It's like a telephone that gets to many calls at once. The "excess" calls simply never get through to the phone. Computers should be the same way. Get with it guys, and solve the problems from the receiving end!
@all Never think the enemy is stupid or that you are smart. Either of these positions will make you just another 'bot in someone's network. Every major country and many shadow groups have huge budgets and hire brilliant people. We are just pawns in that game.
@PopSci I wish you could figure out a good way to include links here without opening the door for spam and malware.
@adaptation Good one.
@lohengrim Some folks wear the hat that fits best at the time, but 1/2 off for conspiracy casting.
@Matt1985 Wow - 12 whole years? This is nothing? Either you are clueless or you are one of "them".
@Motochus Your solution is why most of the native birds in Hawai'i are endangered. Take a look here for reasons why you don't release killer apps: www.invasivespeciesinfo.gov
@TonyB Bingo! Your post should be submitted for a Nobel Prize. Please stay alive - we need all of the help we can get!
@Roy_H Would you leave your house unlocked and let a stranger stand in your bedroom? He doesn't take up much space and he isn't doing anything malicious. He even watches over you while you sleep, keeping some of the other people who want to stand in your bedroom away. Of course, if he gets mad he could kill you & your family and burn down your house, but he wouldn't do that, would he?
@Peter10 A little hard to understand, but a good start. How would we keep that body honest, though? If a country wants to keep something like that alive, the people on the board could be...convinced...to let some things exist in secret.
@Alkane Good instructions. However, if there is no cure, how do you stop from being reinfected? Like malaria, every time you go out of the house (connect to the 'Net) there is a mosquito waiting for you. You can take precautions, but the insects always seem to find a way to bite you.
@stan0301 Like electronic voting machines? ANY hardware/software combination can (and usually does) have a back door paid for by those with enough money or influence to make sure it is there.
@Robert1234 You don't understand DDS? OK - someone begins a DDS attack on VISA. You are buying groceries, but the machine can't finish your transaction because it is one of the "dropped calls". You can stand there for a day or two and hope your call is answered, but that is a little hard on the ice cream. Does that clear things up? 'Botnets can generate more calls than any company can afford to answer.
@all I don't have the answer because I'm not educated enough in this area - and I don't think any single person has the answers. What I can do is provide some things to look up and think about. These are not conspiracy ideas - they are very real and mainstream. Since I can't give links, look up the keywords listed.
1. Keyword: "Rainbow Table" Once a 'botnet has your computer, what is stopping it from using a rainbow table to grab all of your passwords, which are then sold on the black market? The longer the password the bigger the rainbow table required, but that handy dandy 10 Mbit connection you have to your new PC makes it easier.
2. Keyword: "Ready Reserve" & "National Guard" Governments cannot afford to keep large standing armies, so they get folks to enlist for "one weekend a month and two weeks a year" so they have a ready source of soldiers in case of war. Do you think electronic warfare is any different?
2.1 Keyword "telecommunications immunity" If the government can grant immunity to AT&T after someone found out that the main fiber link between the US and Asia was being split & monitored, why do you think they can't be doing other things like that in the name of "defense"?
3. Keyword "Mexican Drug Cartels" Americans spent $65 billion for illegal drugs last year and stolen US weapons account for 70% of the guns recovered from Mexican drug cartels. Mexicans spent $2.65 billion in government bribes last year. Everybody wants something and EVERYONE has a price - whether it be in money, the lives of your family, your job, etc. Why do you think ANY software you buy is immune to hijacking? (Source: Time Magazine, July 11, 2011, "The War Next Door" Pages 24 - 31). For "mafia" style groups, your information means money - mostly because people are still stupid enough to respond to "You won the Neverheardaya National Lottery" emails. TonyB has it right.
4. Keyword "Cold War" Most everyone who served in the US or Soviet Union military from 1950 to 1991 knows that the "Cold" war wasn't so cold. It was just fought in proxy nations, like Laos, Cambodia, Korea, Vietnam, Germany, Afghanistan, Cuba, and 20 or 30 other nations. Like I said before - our computers are the pawns of the computer warfare age. Large & powerful groups, whether governmental or "NGO" (non-governmental organizations), have an interest in having the best technology to attack or defend critical infrastructure in case of war. To do that, they need to practice and test and we are the biggest source of free testing there is.
5. Keyword "Social Engineering" Every spy knows that the best way to get information is through social engineering. People are lazy and choose to be ignorant. They share their unsecure "fido1" passwords and think "it" can't happen to them. Well, "it" happens and has probably already happened to YOU.
Bucks, Blisters or Blood - Everyone needs to pay for the freedoms we enjoy!
Just yet another reason to switch to free Linux. Mint, Ubuntu, Sabayon, Mandriva, EasyPeasy, PCLinuxOS, and any other flavor you'd like to use.
Or a Mac.
Yeah, a boot disc is the easiest way to clean it off. AVG has a free boot disc that uses Linux to clean anything.
I've been using Mac, Win and Linux for ten years+ and I make my living fixing Windows, but I use Linux 100% of the rest of the time. I can also afford to do more in Linux legally than I can in Windows buying applications for every little task.
Easy fix here ;
FORMAT %DRIVE LETTER HERE%:\ /X /P:2
Run this batch from live-CD and that's it.