Slashdot Mirror

← Back to Stories (view on slashdot.org)

Massive Botnet "Indestructible," Say Researchers

Posted by samzenpus on from the +1-or-better-update-to-hit dept.

CWmike writes "A new and improved botnet that has infected more than four million PCs is 'practically indestructible,' security researchers say. TDL-4, the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is 'the most sophisticated threat today,' said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis on Monday. Others agree. 'I wouldn't say it's perfectly indestructible, but it is pretty much indestructible,' Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, told Computerworld on Wednesday. 'It does a very good job of maintaining itself.' Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code. But that's not TDL-4's secret weapon. What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers. 'The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet,' said Roel Schouwenberg, senior malware researcher at Kaspersky. 'The TDL guys are doing their utmost not to become the next gang to lose their botnet.'"

18 of 583 comments (clear)

  1. Take 'em offline by jnpcl · · Score: 3, Insightful

    Yeah, it'll piss off every Grandma and Grandpa with an infected computer, but really.. the best way to deal with these massive botnets is to have the ISPs disable those accounts and contact the owners.

    1. Re:Take 'em offline by Shikaku · · Score: 5, Insightful

      From TFS:

      What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.

      So what's the difference between this botnet data, an SSL connection to a bank, or an encrypted email/file?

      The answer is you can't tell, and neither can the ISP.

      "What about the volume?" Encrypted Bittorrent.

    2. Re:Take 'em offline by Joe+U · · Score: 2, Insightful

      The only long term solution is to infect the infected with something that low level formats their HDD.

      That will stop the problem.

      It's amazingly illegal though, so it's not happening anytime soon.

    3. Re:Take 'em offline by geekmux · · Score: 3, Insightful

      Just throw a clause in the Terms and Conditions that states the subscriber is required to maintain an outgoing connection free of malware. Otherwise, the ISP gets to redirect all traffic to a "Hey, you're infected!" page for the duration.

      And as this particular one operates, good luck discerning a valid encrypted connection from a invalid/infected one.

      The first time the subscriber calls in to say it's rectified, remove the redirection and monitor it. The second time, be nice and request some proof. The third time, require a faxed copy of a receipt/invoice/statement from a third party verifying that all the connected in the residence are clean and all wireless networks are encrypted securely. Rinse, lather, repeat.

      Wow, faxed copy? What's next, a notarized statement and sworn testimony? After that, it'll be a race to see which falls faster; your customer base or your stock price.

    4. Re:Take 'em offline by farseeker · · Score: 2, Insightful

      The third time, require a faxed copy of a receipt/invoice/statement from a third party

      Yeah, because I still live in 1998 and work at a law firm, and thus have access to a fax machine

    5. Re:Take 'em offline by Grishnakh · · Score: 1, Insightful

      Well if they're sending SMTP mail, then it should be easy to identify them without excessively curbing customers who have legitimate SMTP servers: place a simple limit on outgoing email.

      Normal people with their own SMTP servers probably aren't going to send more than a few dozen emails per day.

      An infected PC will send millions. No human can generate millions of emails on a keyboard, and there's little reason to think that activity might be legitimate and not spam.

      Find people sending tons of email, contact them and find out what's up, and if they don't have a really good answer, shut down their connection until they clean up their PC.

    6. Re:Take 'em offline by Grishnakh · · Score: 4, Insightful

      What the heck is a "phone line"? Is that one of those things they used to have back in the 70s and 80s where your phone was connected to the wall? How quaint.

    7. Re:Take 'em offline by unity · · Score: 3, Insightful

      Well that won't work, the ISPs might disable the botnets run by govt contractors.

    8. Re:Take 'em offline by hairyfeet · · Score: 3, Insightful

      There is a BIG difference between you running an SMTP server, even if you send out a daily newsletter to a couple of hundred folks, and a spambot cranking out several hundred thousand emails an hour. Not to mention most ISPs have it in their TOS that if you want to run a server you need to be on a business line anyway, so in either case the ISP has reason to dump you.

      As for TFA as a guy who actually fixes the thing for a living it used to be you could actually clean a machine, but not anymore. The rootkits, trojans, all the nasties have gotten so infectious it is pretty much nuke from orbit. Considering how big a bunch of cheap bastards the OEMs are and how everyone ends up with "restore partitions" instead of actual discs I'm just waiting on a bug that infects the restore partitions first thing. Personally that would give me a big happy as it might force the OEMs to actually hand over a disc once in awhile.

      As for it being "indestructible" where have they been? The nasties have been getting sneaky as hell for the past couple of years. Ultimately unless as another poster said they are using them as Bitcoin miners they are gonna HAVE to use the infected person's bandwidth and THAT is where you'll catch them.

      The only thing that worries me about bugs like this using encryption is a friend that works state crime lab says more and more CP pushers are using infected machines as file dumps. With all this encryption it wouldn't surprise me if whomever cooked this up ends up renting out space to the CP scum. Having your door kicked in by the FBI because some fed traced a CP download back to your machine? Not a nice way to spend a weekend I think.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  2. Invisible? by blair1q · · Score: 4, Insightful

    Putting the thing in the MBR just means you can't intercept it during boot.

    It doesn't for a second mean it's invisible.

    1. Re:Invisible? by vux984 · · Score: 3, Insightful

      It can become pretty well invisible to the infected host system though.

      A bootable CD or flash drive should take care of things, but that's a bit of a hassle, since a bootable disc needs to be up to date to detect the latest threats... or perhaps the way to go on this is to checksum the existing known good mbr and then validate it from time to time offline against the checksum.

      Speaking of which... what are people recommending for actually dealing with this sort of stuff...?

  3. Chinese Justice by msobkow · · Score: 1, Insightful

    Collect botnet creators. Apply one bullet to head. In public.

    Repeat.

    Nothing else will stop the leeches.

    --
    I do not fail; I succeed at finding out what does not work.
  4. Re:What I want to know is ... by Anonymous Coward · · Score: 0, Insightful

    "per the usual", eh? Cocky much?

    Take a moment to cogitate on where the "root" in rootkit comes from.

  5. Command and Control by Fractal+Dice · · Score: 3, Insightful

    Isn't command and control the antithesis of indestructability? Any software that can be patched can be destroyed.

  6. Re:Here's an idea by jmorris42 · · Score: 3, Insightful

    > What if someone wrote malware that would run a VM from the boot sector, and
    > then ran your existing OS from the VM?

    You would notice when your 3D performance began to suck ass. And when either all of your devices became virtual ones or all other performance (net, disk, etc) also began to suck ass. Unless you assume a genius who can create a VM environment that works perfectly transparently, has almost zero overhead and otherwise breaks major new ground in the science; and that they waste their time on a virus instead of kicking VMWare, RedHat, QEMU, etcs ass and seizing a multi-billion dollar red hot market segment.

    --
    Democrat delenda est
  7. Re:Not impossible by fluffy99 · · Score: 5, Insightful

    I work at a computer repair shop.

    We frequently encounter computers that are kitted up with boot and rootkits, TDL-4 included. Kaspersky's TDSS killer does a pretty good job of removing this stuff, and it's pretty easy to tell if the MBR as been modified. Just fire up a copy of GMER and you'll be able to tell pretty quickly. I see a lot of people posting stuff about having to wipe drives and start over from scratch. That is simply not necessary. The only reason TDL-4 is such a pain in the ass is because it is decentralized, only communicates with a handful of its infected counterparts at a time and modifies the MBR. Even then, it's not impossible to detect or even remove. Just gotta use the right tools...

    Sure you got rid of the TDL-4, but what about all the other crap it downloaded? Seriously, if the computer got owned, you can't trust it anymore. You'd never be able to find all the little things like permissions changes and registry tweaks even if you got rid of the trojan's executables. Copy your data files off, scan them really well before introducing them elsewhere, and then reformat the disk. Nuking it from orbit is the only way to be sure.

  8. Re:Not impossible by toygeek · · Score: 3, Insightful

    I do the same kind of work that AC does, and he's right. Its not impossible. Also, I'd like to introduce you to the Real World(TM) where wiping a machine at the drop of the hat isn't always an option.

    --
    Nobodies Prefect
    Tidbits for Techs Technology Blog
  9. Re:Not impossible by Anonymous Coward · · Score: 2, Insightful

    I would still nuke it from orbit, and the reason is very very simple: after a machine has been infected in the wild, you must treat it as untrusted. You must treat all accounts you've ever accessed with it as compromised. You don't know what it might have downloaded in the background. You don't know if they've already keylogged you or stolen other data. You don't know what new capabilities might have come out in the last 24 hours. There are entirely too many unknowns. I know security companies will tell you otherwise, but they have a product to sell. If people stopped believing their product was 100% effective and instead resorted to formatting (which IS 100% effective when done properly) then they'd be out of business. Of COURSE they say you can keep using your system afterwards.

    For me, "cleaning" a virus out is merely a way to get access to files in preparation for a format. I will NOT simply "fix" a virus infection for anyone these days, knowing that they could remain quietly compromised and later fall victim to identity theft or worse. It's just not worth chancing it.

    ALWAYS nuke an infected system after recovering uninfected data files from it. Without exception.