Massive Botnet "Indestructible," Say Researchers

← Back to Stories (view on slashdot.org)

Massive Botnet "Indestructible," Say Researchers

Posted by samzenpus on Wednesday June 29, 2011 @12:18PM from the +1-or-better-update-to-hit dept.

CWmike writes "A new and improved botnet that has infected more than four million PCs is 'practically indestructible,' security researchers say. TDL-4, the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is 'the most sophisticated threat today,' said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis on Monday. Others agree. 'I wouldn't say it's perfectly indestructible, but it is pretty much indestructible,' Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, told Computerworld on Wednesday. 'It does a very good job of maintaining itself.' Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code. But that's not TDL-4's secret weapon. What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers. 'The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet,' said Roel Schouwenberg, senior malware researcher at Kaspersky. 'The TDL guys are doing their utmost not to become the next gang to lose their botnet.'"

60 of 583 comments (clear)

Min score:

Reason:

Sort:

Take 'em offline by jnpcl · 2011-06-29 12:21 · Score: 3, Insightful

Yeah, it'll piss off every Grandma and Grandpa with an infected computer, but really.. the best way to deal with these massive botnets is to have the ISPs disable those accounts and contact the owners.
1. Re:Take 'em offline by Shikaku · 2011-06-29 12:26 · Score: 5, Insightful
  
  From TFS:
  
  What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.
  So what's the difference between this botnet data, an SSL connection to a bank, or an encrypted email/file?
  The answer is you can't tell, and neither can the ISP.
  "What about the volume?" Encrypted Bittorrent.
2. Re:Take 'em offline by Joe+U · 2011-06-29 12:28 · Score: 2, Insightful
  
  The only long term solution is to infect the infected with something that low level formats their HDD.
  That will stop the problem.
  It's amazingly illegal though, so it's not happening anytime soon.
3. Re:Take 'em offline by geekmux · 2011-06-29 12:29 · Score: 2
  
  Yeah, it'll piss off every Grandma and Grandpa with an infected computer, but really.. the best way to deal with these massive botnets is to have the ISPs disable those accounts and contact the owners.
  Asking ISPs to stand in the firing line of legal liability? Uh...yeah. You'll stand a better chance in hell with a snowcone machine.
  And that answer isn't very easy when you're talking AT&T or Verizon cutting off entire hosted corporations.
4. Re:Take 'em offline by garcia · 2011-06-29 12:31 · Score: 2
  
  geek, ATTBI (back in the 2001/2002 days) took infected computers off their network by disabling their cfg files. There's no legal liability there.
5. Re:Take 'em offline by realityimpaired · 2011-06-29 12:41 · Score: 5, Informative
  
  Netcat, and watching for traffic from a system that you know for a fact isn't sending that kind of traffic.
  Without your ISP installing some kind of spyware on your computer to determine if you have torrent or other p2p software installed, they have no way of knowing whether that encrypted p2p traffic coming from your system is a virus, or you trying to download a movie. And as for them determining how many systems are infected? That same netcat... once they know the traffic is there, it is fairly easy to find the source of the traffic, and then to analyse said source. Once they find a way into the network, it's fairly trivial to estimate how many clients are connected to it. Taking over the network is another animal entirely, but figuring out how many are connected to it is relatively easy.
6. Re:Take 'em offline by the_bard17 · 2011-06-29 12:43 · Score: 4, Interesting
  
  Just throw a clause in the Terms and Conditions that states the subscriber is required to maintain an outgoing connection free of malware. Otherwise, the ISP gets to redirect all traffic to a "Hey, you're infected!" page for the duration.
  The first time the subscriber calls in to say it's rectified, remove the redirection and monitor it. The second time, be nice and request some proof. The third time, require a faxed copy of a receipt/invoice/statement from a third party verifying that all the connected in the residence are clean and all wireless networks are encrypted securely. Rinse, lather, repeat.
  It seems the T&C is being used as a catch all for all the other shady business telecom's are pushing down our tubes... may as well as use it for a bit of good, too.
7. Re:Take 'em offline by vux984 · 2011-06-29 13:01 · Score: 4, Informative
  
  I'm with you on the use of netcat etc.
  I assume they build honey pot systems, setup with shit security, programmed to randomly surf the web and click on everything that it finds... and then take it offline into a lab and see what there is to see.
  it's fairly trivial to estimate how many clients are connected to it.
  That gives you the LAN but that doesn't tell you how many infected systems there are worldwide.
  To shut it down by the way, once the virus is reverse engineered enough, one can deploy honeypot systems designed to impersonate legit infected machines, and wait for C&C commands to get passed to it via peers.
  Due to it being p2p that won't get you the C&C servers... but it does give you lists of peers that represent infected systems, many of which probably are on the ISP running the honeypot that the ISP could take offline... a few coop agreements, and ISPs could swap lists of infected systems from eachothers networks easily enough as well.
8. Re:Take 'em offline by geekmux · 2011-06-29 13:05 · Score: 3, Insightful
  
  Just throw a clause in the Terms and Conditions that states the subscriber is required to maintain an outgoing connection free of malware. Otherwise, the ISP gets to redirect all traffic to a "Hey, you're infected!" page for the duration.
  And as this particular one operates, good luck discerning a valid encrypted connection from a invalid/infected one.
  
  The first time the subscriber calls in to say it's rectified, remove the redirection and monitor it. The second time, be nice and request some proof. The third time, require a faxed copy of a receipt/invoice/statement from a third party verifying that all the connected in the residence are clean and all wireless networks are encrypted securely. Rinse, lather, repeat.
  Wow, faxed copy? What's next, a notarized statement and sworn testimony? After that, it'll be a race to see which falls faster; your customer base or your stock price.
9. Re:Take 'em offline by countertrolling · 2011-06-29 13:07 · Score: 2
  
  Asking ISPs to stand in the firing line of legal liability?
  Not a problem.. The government can grant them immunity, like it did for the unwarranted wiretaps..
  
  --
  For justice, we must go to Don Corleone
10. Re:Take 'em offline by LordLimecat · 2011-06-29 13:18 · Score: 2
  
  What an awful comparison. The people with infected computers are responsible for their computers, and it is their computers that are doing damage via spam etc. Disabling their accounts and requesting followup is in no way similar to:
  *throwing someone in prison
  *interrogating them
  *implementing a police state
  *freezing bank accounts
  Its perfectly reasonable, if a PC is causing damage to a network, to remove that PC from the network. Schools do it, business offices do it, and Im sure government offices do it. That ISP has no obligation to cooperate with a botnet.
11. Re:Take 'em offline by interkin3tic · 2011-06-29 13:23 · Score: 3, Funny
  
  The only long term solution is to infect the infected with something that low level formats their HDD.
  That's not true, there are plenty of long term solutions. We got -plenty- of nukes.
12. Re:Take 'em offline by farseeker · 2011-06-29 13:46 · Score: 2, Insightful
  
  The third time, require a faxed copy of a receipt/invoice/statement from a third party
  Yeah, because I still live in 1998 and work at a law firm, and thus have access to a fax machine
13. Re:Take 'em offline by DarwinSurvivor · 2011-06-29 13:55 · Score: 2
  
  Sorry, I am NOT going to attempt to eradicate a virus at someone's house if they have no internet. Makes error code lookups, update managing, etc nearly impossible. Sure you could download everything at your own house, then bring that with you, especially since after a re-install you need to run windows-update about 15 times!
  
  I do believe that infected computers need to be dropped off the net, but it is VERY difficult to fix the problem without the internet to begin with.
14. Re:Take 'em offline by AvitarX · 2011-06-29 14:08 · Score: 2
  
  I bet getting rid of that type of customer saves money in support, not all customers are profitable, and the calls about my google hours to a different site probably cost money.
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
15. Re:Take 'em offline by Grishnakh · 2011-06-29 14:33 · Score: 4, Insightful
  
  What the heck is a "phone line"? Is that one of those things they used to have back in the 70s and 80s where your phone was connected to the wall? How quaint.
16. Re:Take 'em offline by unity · 2011-06-29 14:55 · Score: 3, Insightful
  
  Well that won't work, the ISPs might disable the botnets run by govt contractors.
17. Re:Take 'em offline by DigiShaman · 2011-06-29 16:54 · Score: 2
  
  No, an EMP will not zero out the drive platters, but they will induce enough current to fry the gates in microchips. That includes, RAM, ROM, Controller...etc. So data can be recovered as long as you replace the fried controller board.
  SSDs on the other hand...toast. Toss it. It's deadweight.
  
  --
  Life is not for the lazy.
18. Re:Take 'em offline by jimicus · 2011-06-29 17:14 · Score: 3, Informative
  
  So what's the difference between this botnet data, an SSL connection to a bank, or an encrypted email/file?
  The answer is you can't tell, and neither can the ISP.
  Not strictly true, actually. IIRC it's already been shown that while SSL hides the content of the connection, it does a lousy job at hiding the protocol/likely payload; you can generally deduce this with remarkable accuracy by looking at the patterns the traffic follows.
  For instance: Voice will have a more-or-less constant stream of small packets going in both directions, an interactive HTTP session will have bursts of data with packets of varying size in both directions, the total amount downloaded in each burst being up to a few hundred K at a time, a file being downloaded over HTTP will have a number of large packets in one direction and a constant stream of much smaller packets going in the other direction. It's a bit more sophisticated than this but AIUI that's the general gist.
  It isn't 100% accurate, but for most practical purposes it's close enough.
19. Re:Take 'em offline by hairyfeet · 2011-06-29 20:17 · Score: 3, Insightful
  
  There is a BIG difference between you running an SMTP server, even if you send out a daily newsletter to a couple of hundred folks, and a spambot cranking out several hundred thousand emails an hour. Not to mention most ISPs have it in their TOS that if you want to run a server you need to be on a business line anyway, so in either case the ISP has reason to dump you.
  As for TFA as a guy who actually fixes the thing for a living it used to be you could actually clean a machine, but not anymore. The rootkits, trojans, all the nasties have gotten so infectious it is pretty much nuke from orbit. Considering how big a bunch of cheap bastards the OEMs are and how everyone ends up with "restore partitions" instead of actual discs I'm just waiting on a bug that infects the restore partitions first thing. Personally that would give me a big happy as it might force the OEMs to actually hand over a disc once in awhile.
  As for it being "indestructible" where have they been? The nasties have been getting sneaky as hell for the past couple of years. Ultimately unless as another poster said they are using them as Bitcoin miners they are gonna HAVE to use the infected person's bandwidth and THAT is where you'll catch them.
  The only thing that worries me about bugs like this using encryption is a friend that works state crime lab says more and more CP pushers are using infected machines as file dumps. With all this encryption it wouldn't surprise me if whomever cooked this up ends up renting out space to the CP scum. Having your door kicked in by the FBI because some fed traced a CP download back to your machine? Not a nice way to spend a weekend I think.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
20. Re:Take 'em offline by snemarch · 2011-06-29 20:43 · Score: 2
  
  Making the MBR invisible to the OS isn't BS, once the rootkit has loaded it will intercept disk access and return filtered data.
  Won't be able to do that with a (clean) boot-from-cd/usb OS or tool of course, but that's a different story.
  
  --
  Coffee-driven development.
21. Re:Take 'em offline by KnownIssues · 2011-06-30 03:06 · Score: 2
  
  So what's the difference between this botnet data, an SSL connection to a bank, or an encrypted email/file? The answer is you can't tell, and neither can the ISP.
  Simple solution... don't allow encrypted traffic. If you're not doing anything wrong, you don't have anything to hide.
  And no, I'm not being serious.
22. Re:Take 'em offline by justsayin · 2011-06-30 05:29 · Score: 2
  
  Good comments, I am with you on most of them. I do occasionally get an actual OS CD from the OEM. Just to freshen up my stock. I totally understand why they went the embedded partition for a system restore. It makes it awfully handy to put the laptop/PC back like it was when it left the factory. Users usually lose the OS CDs or DVDs anyway. I also cringe every time I do a system restore with that embedded or hidden partition because just like you said, it's the first place I would put a virus if I knew how to write one. :)
  
  I just opt to pay Dell or whichever OEM a little more money and they include the installation media. I remember way back when they started calling it media. I figured they were just setting us up for another charge so they could maximize their profits.
  
  I wonder if this botnet survives a good DBAN? I use that tool if I even think the hardware was rooted. 3 Cheers for Darik! Huzzah, Huzzah, Huzzah.
Invisible? by blair1q · 2011-06-29 12:28 · Score: 4, Insightful

Putting the thing in the MBR just means you can't intercept it during boot.
It doesn't for a second mean it's invisible.
1. Re:Invisible? by vux984 · 2011-06-29 12:36 · Score: 3, Insightful
  
  It can become pretty well invisible to the infected host system though.
  A bootable CD or flash drive should take care of things, but that's a bit of a hassle, since a bootable disc needs to be up to date to detect the latest threats... or perhaps the way to go on this is to checksum the existing known good mbr and then validate it from time to time offline against the checksum.
  Speaking of which... what are people recommending for actually dealing with this sort of stuff...?
2. Re:Invisible? by korgitser · 2011-06-29 12:42 · Score: 2
  
  Speaking of which... what are people recommending for actually dealing with this sort of stuff...?
  Isn't it obvious? The next version of Kaspersky of course!
  
  --
  FCKGW 09F9 42
3. Re:Invisible? by schwit1 · 2011-06-29 12:43 · Score: 5, Informative
  
  http://download.bitdefender.com/rescue_cd/
  http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk10/
  Both of these update from the internet after booting up.
4. Re:Invisible? by Z34107 · 2011-06-29 12:58 · Score: 4, Informative
  
  The safest way is nuke it from orbit - boot from your Windows install disk, do a "diskpart clean" to nuke the MBR, and reinstall.
  The easiest way is to just trust that your favorite brand of virus scanner will eventually take care of it.
  Expert mode is make an image of the machine using ImageX, mount it on another PC, clean the virus from the image, and reapply it to the infected computer (after nuking the MBR.)
  For lesser threats, MalwareBytes will take care of most anything, although I usually run ComboFix and HijackThis first.
  Protip: If you're running a modern version of Windows, you don't need a special boot CD. Vista/7 disks boot to a full WinPE environment which will give you a command prompt (press Shift+F10 or wade through the menu), let you repartition your disk (diskpart), write a new boot sector (bootsect), and mount network shares (net use x: \\computer\share). Any install disk can also install and activate any other version of Windows (you can borrow a friend's Home Premium disk to reinstall Ultimate or whatever).
  If you're still rocking XP, the install disk is next to worthless, so go grab a Live CD if you have to do anything interesting.
  
  --
  DATABASE WOW WOW
5. Re:Invisible? by Spikeles · 2011-06-29 13:21 · Score: 3, Interesting
  
  TDSSKiller
  
  --
  I don't need to test my programs.. I have an error correcting modem.
6. Re:Invisible? by Zaphod-AVA · 2011-06-29 14:12 · Score: 3, Informative
  
  That will make the MBR clean on the next boot, but it will reinfect the MBR once Windows loads as well.
7. Re:Invisible? by cgenman · 2011-06-29 18:21 · Score: 4, Interesting
  
  Unfortunately, most people who are running a modern version of Windows are doing so because it came on the computer they bought it on. I say unfortunately, because I have yet to see a computer ship with anything but those damned useless "restore" DVD's. It can't fix your system, or perform routine maintenance tasks, or anything useful. And if you've make any alterations to your hardware setup, you can forget it.
  Shipping without an install disk for a paid for pre-installed OS that bundles lots of routine OS functionality on its install disk should be illegal. Or, rather, it should be legal to pass around copies of the install disk to everyone who has the OS.
  
  --
  The ______ Agenda
8. Re:Invisible? by The+Breeze · 2011-06-30 02:01 · Score: 2
  
  Thank you. I read the whole article wondering, "how can these over-sensationalistic idiot writers spend half the article talking about TDL4 and interviewing Kaspersky employees, and yet not bother to mention the very excellent, and very free, TDSSKILLER tool from Kaspersky that kills TDL4 dead?" If I was one of the Kaspersky guys interviewed, I'd be pissed.
Modified MBR Detection? by Anonymous Coward · 2011-06-29 12:28 · Score: 2, Interesting

Man, can't they detect a modified MBR nowadays? I even had mainboards which detected a modified MBR upon boot. So where's the problem?
1. Re:Modified MBR Detection? by mlts · 2011-06-29 14:56 · Score: 2
  
  This is one reason why a TPM chip is a useful tool. It is present, but disabled in most servers.
  Enable BitLocker, make sure to save the recovery key somewhere safe (preferably printing it out as well), have it use the MBR, and call it done.
  If malware nails the MBR after BitLocker gets turned on, the machine will not boot. One can use Windows PE, mount the system volume with the recovery key, and squash the malicious software that way.
2. Re:Modified MBR Detection? by lennier · 2011-06-29 14:59 · Score: 2
  
  If you load before the OS, then you can load as the host, and run the 'real' OS as a guest operating system. You can then intercept all calls to the hardware. (kind of like how VMware can sit under windows, and tell it that it has an LSI SCSI drive, when it doesn't.) Instead of reporting the real MBR, you can tell the guest operating system that the MBR is exactly what it expects.
  What if you boot off the CD-ROM created by your favourite virus scanner which bypasses Windows and the hard disk and the MBR entirely?
  Kids these days do know that nothing on the hard disk has ever been trustworthy once you have the slightest suspicious of any kind of malware, and that you always boot right off trusted read-only media as soon as you even think of running an remedial anti-malware tool, right? and that this is not some new 2011 thing but was always the case, because MBR infectors were the first kind of virus that came out? You all remember that, right?
  right?
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
Indestructible? by CokeBear · 2011-06-29 12:30 · Score: 5, Funny

Sounds like a challenge...

--
Reality has a liberal bias
What I want to know is ... by DrJimbo · 2011-06-29 12:32 · Score: 2, Funny

Does it run Linux?

--
We don't see the world as it is, we see it as we are.
-- Anais Nin
GPL Violators! Get em! by Hatta · 2011-06-29 12:42 · Score: 5, Funny

# When developing the kad.dll module for maintaining communication with the Kad network, code with a GPL license was used â" this means that the authors are in violation of a licensing agreement.

Somehow I think that's the least of their concerns.

--
Give me Classic Slashdot or give me death!
Here's an idea by MrEricSir · 2011-06-29 12:44 · Score: 2

What if someone wrote malware that would run a VM from the boot sector, and then ran your existing OS from the VM? That way it wouldn't matter what OS you used, it could still access your system in the background.

--
There's no -1 for "I don't get it."
1. Re:Here's an idea by rtaylor · 2011-06-29 13:08 · Score: 2
  
  Ahh, but can you detect the successful intrusions?
  Most windows users can also look at their logs (assuming they keep such things) and view a large number of failed attempts. Of course, there are also a handful of successful ones.
  Yes, I know OpenBSD is very secure, particular for root access; user accounts not so much if the user will run anything they download. More than half of OpenBSDs security is that security conscious people select that operating system.
  
  --
  Rod Taylor
2. Re:Here's an idea by jmorris42 · 2011-06-29 14:01 · Score: 3, Insightful
  
  > What if someone wrote malware that would run a VM from the boot sector, and
  > then ran your existing OS from the VM?
  You would notice when your 3D performance began to suck ass. And when either all of your devices became virtual ones or all other performance (net, disk, etc) also began to suck ass. Unless you assume a genius who can create a VM environment that works perfectly transparently, has almost zero overhead and otherwise breaks major new ground in the science; and that they waste their time on a virus instead of kicking VMWare, RedHat, QEMU, etcs ass and seizing a multi-billion dollar red hot market segment.
  
  --
  Democrat delenda est
3. Re:Here's an idea by AmiMoJo · 2011-06-29 21:21 · Score: 2
  
  You would notice when your 3D performance began to suck ass.
  Wrong. A virus only needs to virtualise the CPU and memory, it can leave hardware directly accessible.
  A VM runs code natively on the CPU and remaps or intercepts access to memory. How far you take that is up to you. Some viruses install a driver that gets loaded early in the Windows boot sequence and uses the MMU to intercept access to memory locations that would allow it to be detected and removed by anti-virus software.
  This botnet virus does the same thing but sets up the MMU in the boot block rather than via a driver so it is even more difficult to detect. Any anti-virus software that tries to read the boot block is directed to a clean copy, and the same is done for all the Windows data structures that might show the virus up. Even file system access is intercepted, and I think the FS itself must be corrupted somehow because even attaching the drive to a non-infected Windows machine won't allow you to see the files in some cases. Linux can see and remove them fine, with the added bonus that the NTFS driver ignores permissions so you don't even need to take ownership etc.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Nothing new by Billly+Gates · 2011-06-29 12:55 · Score: 2, Interesting

In 2004 my cousin had malware that hid in the partition table and even a fresh format and windows reinstall could get rid of it. Only a good dos fdisk that deleted the table with a format and reinstallation. Today evil malware can hide in both the shadow volumes of restore points to reinstall themselves and avoid detection and also system recovery partitions so a fresh os reinstallation will reinstall the malware. Fun times

--
http://saveie6.com/
Command and Control by Fractal+Dice · 2011-06-29 13:05 · Score: 3, Insightful

Isn't command and control the antithesis of indestructability? Any software that can be patched can be destroyed.
1. Re:Command and Control by pclminion · 2011-06-29 13:28 · Score: 4, Interesting
  
  You can sign the patches and make it impossible to inject update packets straight into the botnet. A more plausible line of attack would be to find a traditional security vulnerability and exploit it.
Not impossible by Anonymous Coward · 2011-06-29 13:16 · Score: 4, Interesting

I work at a computer repair shop.
We frequently encounter computers that are kitted up with boot and rootkits, TDL-4 included. Kaspersky's TDSS killer does a pretty good job of removing this stuff, and it's pretty easy to tell if the MBR as been modified. Just fire up a copy of GMER and you'll be able to tell pretty quickly. I see a lot of people posting stuff about having to wipe drives and start over from scratch. That is simply not necessary. The only reason TDL-4 is such a pain in the ass is because it is decentralized, only communicates with a handful of its infected counterparts at a time and modifies the MBR. Even then, it's not impossible to detect or even remove. Just gotta use the right tools...
1. Re:Not impossible by fluffy99 · 2011-06-29 16:02 · Score: 5, Insightful
  
  I work at a computer repair shop.
  We frequently encounter computers that are kitted up with boot and rootkits, TDL-4 included. Kaspersky's TDSS killer does a pretty good job of removing this stuff, and it's pretty easy to tell if the MBR as been modified. Just fire up a copy of GMER and you'll be able to tell pretty quickly. I see a lot of people posting stuff about having to wipe drives and start over from scratch. That is simply not necessary. The only reason TDL-4 is such a pain in the ass is because it is decentralized, only communicates with a handful of its infected counterparts at a time and modifies the MBR. Even then, it's not impossible to detect or even remove. Just gotta use the right tools...
  Sure you got rid of the TDL-4, but what about all the other crap it downloaded? Seriously, if the computer got owned, you can't trust it anymore. You'd never be able to find all the little things like permissions changes and registry tweaks even if you got rid of the trojan's executables. Copy your data files off, scan them really well before introducing them elsewhere, and then reformat the disk. Nuking it from orbit is the only way to be sure.
2. Re:Not impossible by toygeek · 2011-06-29 16:08 · Score: 3, Insightful
  
  I do the same kind of work that AC does, and he's right. Its not impossible. Also, I'd like to introduce you to the Real World(TM) where wiping a machine at the drop of the hat isn't always an option.
  
  --
  Nobodies Prefect
  Tidbits for Techs Technology Blog
3. Re:Not impossible by Anonymous Coward · 2011-06-29 16:58 · Score: 2, Insightful
  
  I would still nuke it from orbit, and the reason is very very simple: after a machine has been infected in the wild, you must treat it as untrusted. You must treat all accounts you've ever accessed with it as compromised. You don't know what it might have downloaded in the background. You don't know if they've already keylogged you or stolen other data. You don't know what new capabilities might have come out in the last 24 hours. There are entirely too many unknowns. I know security companies will tell you otherwise, but they have a product to sell. If people stopped believing their product was 100% effective and instead resorted to formatting (which IS 100% effective when done properly) then they'd be out of business. Of COURSE they say you can keep using your system afterwards.
  For me, "cleaning" a virus out is merely a way to get access to files in preparation for a format. I will NOT simply "fix" a virus infection for anyone these days, knowing that they could remain quietly compromised and later fall victim to identity theft or worse. It's just not worth chancing it.
  ALWAYS nuke an infected system after recovering uninfected data files from it. Without exception.
4. Re:Not impossible by Timmmm · 2011-06-30 01:20 · Score: 2
  
  They meant the *botnet* is indestructible. You just killed one of four million nodes.
I knew this was going to happen by Omnifarious · 2011-06-29 13:24 · Score: 4, Interesting

Curious Yellow was bound to happen sooner or later. I was wondering what was taking botnet authors so long, and why they were relying on a centralized system like DNS for coordinating their bots.

--
Need a Python, C++, Unix, Linux develop
P2P is also its weakness by Dachannien · 2011-06-29 13:35 · Score: 5, Interesting

The fact that the software maintains itself peer-to-peer is also its greatest weakness, because it allows any infected node to identify other infected nodes. So, you set up a number of honeypots and use those to identify infected machines. You then strongarm those machines' ISPs to disconnect their customers until they get their shit together.
Yes, the whole "strongarming the ISPs" thing is a flaw in the strategy since it hasn't really been successful to date, but I'm sure Microsoft can come up with a legal solution to that little hitch.
Re:GPL Violators! Get em! by gumbi+west · 2011-06-29 13:37 · Score: 4, Funny

Think of how they get Al Capone. Noting would make federal prosecutors more interested in the GPL than if they thought it was the best way to nail a bad guy.
BTW, I like the idea of malware coming with a GPL license agreement and link to the source code.
Re:Lawsuit by Homr+Zodyssey · 2011-06-29 13:42 · Score: 3, Informative

Time for a car analogy.
If someone hot-wires my car, and then rams it into a police station, then I'm not liable. The car manufacturer is not liable. The police are not liable. As a matter of fact, its not even my fault if I left the doors unlocked and the engine running. The person responsible is the bastard that stole it and did the damage.
These viruses and botnets are not spontaneous. They are not random acts of nature. They happen because of bad guys doing bad things. We should all take reasonable precautions, but we shouldn't be held liable for their actions.
Detection and removal by Zaphod-AVA · 2011-06-29 13:47 · Score: 5, Informative

When they say indestructible, they mean it's more difficult to steal control of the botnet, like they have done with several other hostile networked threats, not that it can't be detected and removed.
To detect it, run the latest version of GMER.
http://www.gmer.net/
To remove it, you need to run a series of three scanners in this order:
TDSSkiller
http://support.kaspersky.com/viruses/solutions?qid=208280684
Combofix
http://www.bleepingcomputer.com/download/anti-virus/combofix
and Malwarebytes' Antimalware
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;1
Note that TDL4 is often a blended threat, and has other secondary infections that can cause issues. One of the most common does search redirection that can make it hard to get to the tools to remove it. Most versions of that you can work around by clicking on the Google cache of the site with the tool instead of the link itself.
As for who to blame, most of the infections installed on people's machines were abusing exploits in Adobe Flash. Keeping up to date helps, but I started installing Flashblock on my client's systems because I was convinced there were unknown Flash exploits.
-Z
Try TDSS killer! by Falconhell · 2011-06-29 13:50 · Score: 3, Interesting

I had a bit of trouble removing it with TDSS kiler a few weeks ago, but got there in about half an hour.
If it wont run you will need the file association reset tool.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
Re:general purpose computing is dead by drooling-dog · 2011-06-29 14:53 · Score: 3, Interesting

If magically tomorrow every single Windows box was Linux instead, socially-engineered malware would appear the next day.
One thing that protects Linux, and that has little to do with the OS itself, is the FOSS ecosystem. Pretty much everything you could want is available for free from trusted repositories, and so there is little or no incentive to download and install warez or other pirated software that may have been tampered with. You would still be right, though, if being the dominant "OS for the masses" implies that a similar proprietary closed-source ecosystem would quickly arise around it.
Re:Lawsuit by mevets · 2011-06-29 15:10 · Score: 2

I don't know how the post-XP world of malware attraction works. At least in the XP-and-before world, the major goal wasn't your data. The windows kernel put a user modifiable, and kernel-used data structure in place. In this situation, anything that could manipulate the user space could manipulate the kernel space, thus spread itself in addition to stealing all of your data.
This is what is so disingenuous about then 'we are the target because so many people run us' crap. W/(95,98,2000,NT,XP) were the target because it was so easy that anybody could do it.
The real question is whether Vista/7/8 has abandoned this brain damaged VMS inspired model, or is just waiting for the malware bomb to hit.
Windows security is a game by gottabeme · 2011-06-29 15:58 · Score: 2

You write like Steve Gibson on meth. Hey, you are an AC...
Sounds like you have a lot of fun maintaining your defenses. I remember keeping up with that sort of thing back in the day. Then in 2003 I switched to Debian and haven't had to worry about malware since.
I'm amazed by the time and effort people spend to defend against malware when the best solution is so obvious. 'You can lead a horse to water..."
Maybe the problem is that some people enjoy "the game" so much that they wouldn't know what to do if they stopped playing.

--
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
They must be used for something... by SanityInAnarchy · 2011-06-29 18:15 · Score: 2

Unless it's a massive bitcoin mining operation or some actual spyware of the sort which steals credit card data, there's not a lot I can think of that they would want those machines for which would be able to work with entirely encrypted communication. In particular, if they're spam zombies, the flood of email should be a clue.
Then again, there is the problem of knowing that a given attack was a DDoS, and knowing whether a given machine which participated in that attack was a botnet zombie or a legitimate user with bad timing.
Still, if there's a way to single these machines out, I agree with the original poster -- join a botnet, get disconnected.

--
Don't thank God, thank a doctor!