Slashdot Mirror

← Back to Stories (view on slashdot.org)

Massive Botnet "Indestructible," Say Researchers

Posted by samzenpus on from the +1-or-better-update-to-hit dept.

CWmike writes "A new and improved botnet that has infected more than four million PCs is 'practically indestructible,' security researchers say. TDL-4, the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is 'the most sophisticated threat today,' said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis on Monday. Others agree. 'I wouldn't say it's perfectly indestructible, but it is pretty much indestructible,' Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, told Computerworld on Wednesday. 'It does a very good job of maintaining itself.' Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code. But that's not TDL-4's secret weapon. What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers. 'The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet,' said Roel Schouwenberg, senior malware researcher at Kaspersky. 'The TDL guys are doing their utmost not to become the next gang to lose their botnet.'"

33 of 583 comments (clear)

  1. Take 'em offline by jnpcl · · Score: 3, Insightful

    Yeah, it'll piss off every Grandma and Grandpa with an infected computer, but really.. the best way to deal with these massive botnets is to have the ISPs disable those accounts and contact the owners.

    1. Re:Take 'em offline by Shikaku · · Score: 5, Insightful

      From TFS:

      What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.

      So what's the difference between this botnet data, an SSL connection to a bank, or an encrypted email/file?

      The answer is you can't tell, and neither can the ISP.

      "What about the volume?" Encrypted Bittorrent.

    2. Re:Take 'em offline by realityimpaired · · Score: 5, Informative

      Netcat, and watching for traffic from a system that you know for a fact isn't sending that kind of traffic.

      Without your ISP installing some kind of spyware on your computer to determine if you have torrent or other p2p software installed, they have no way of knowing whether that encrypted p2p traffic coming from your system is a virus, or you trying to download a movie. And as for them determining how many systems are infected? That same netcat... once they know the traffic is there, it is fairly easy to find the source of the traffic, and then to analyse said source. Once they find a way into the network, it's fairly trivial to estimate how many clients are connected to it. Taking over the network is another animal entirely, but figuring out how many are connected to it is relatively easy.

    3. Re:Take 'em offline by the_bard17 · · Score: 4, Interesting

      Just throw a clause in the Terms and Conditions that states the subscriber is required to maintain an outgoing connection free of malware. Otherwise, the ISP gets to redirect all traffic to a "Hey, you're infected!" page for the duration.

      The first time the subscriber calls in to say it's rectified, remove the redirection and monitor it. The second time, be nice and request some proof. The third time, require a faxed copy of a receipt/invoice/statement from a third party verifying that all the connected in the residence are clean and all wireless networks are encrypted securely. Rinse, lather, repeat.

      It seems the T&C is being used as a catch all for all the other shady business telecom's are pushing down our tubes... may as well as use it for a bit of good, too.

    4. Re:Take 'em offline by vux984 · · Score: 4, Informative

      I'm with you on the use of netcat etc.

      I assume they build honey pot systems, setup with shit security, programmed to randomly surf the web and click on everything that it finds... and then take it offline into a lab and see what there is to see.

      it's fairly trivial to estimate how many clients are connected to it.

      That gives you the LAN but that doesn't tell you how many infected systems there are worldwide.

      To shut it down by the way, once the virus is reverse engineered enough, one can deploy honeypot systems designed to impersonate legit infected machines, and wait for C&C commands to get passed to it via peers.

      Due to it being p2p that won't get you the C&C servers... but it does give you lists of peers that represent infected systems, many of which probably are on the ISP running the honeypot that the ISP could take offline... a few coop agreements, and ISPs could swap lists of infected systems from eachothers networks easily enough as well.

    5. Re:Take 'em offline by geekmux · · Score: 3, Insightful

      Just throw a clause in the Terms and Conditions that states the subscriber is required to maintain an outgoing connection free of malware. Otherwise, the ISP gets to redirect all traffic to a "Hey, you're infected!" page for the duration.

      And as this particular one operates, good luck discerning a valid encrypted connection from a invalid/infected one.

      The first time the subscriber calls in to say it's rectified, remove the redirection and monitor it. The second time, be nice and request some proof. The third time, require a faxed copy of a receipt/invoice/statement from a third party verifying that all the connected in the residence are clean and all wireless networks are encrypted securely. Rinse, lather, repeat.

      Wow, faxed copy? What's next, a notarized statement and sworn testimony? After that, it'll be a race to see which falls faster; your customer base or your stock price.

    6. Re:Take 'em offline by interkin3tic · · Score: 3, Funny

      The only long term solution is to infect the infected with something that low level formats their HDD.

      That's not true, there are plenty of long term solutions. We got -plenty- of nukes.

    7. Re:Take 'em offline by Grishnakh · · Score: 4, Insightful

      What the heck is a "phone line"? Is that one of those things they used to have back in the 70s and 80s where your phone was connected to the wall? How quaint.

    8. Re:Take 'em offline by unity · · Score: 3, Insightful

      Well that won't work, the ISPs might disable the botnets run by govt contractors.

    9. Re:Take 'em offline by jimicus · · Score: 3, Informative

      So what's the difference between this botnet data, an SSL connection to a bank, or an encrypted email/file?

      The answer is you can't tell, and neither can the ISP.

      Not strictly true, actually. IIRC it's already been shown that while SSL hides the content of the connection, it does a lousy job at hiding the protocol/likely payload; you can generally deduce this with remarkable accuracy by looking at the patterns the traffic follows.

      For instance: Voice will have a more-or-less constant stream of small packets going in both directions, an interactive HTTP session will have bursts of data with packets of varying size in both directions, the total amount downloaded in each burst being up to a few hundred K at a time, a file being downloaded over HTTP will have a number of large packets in one direction and a constant stream of much smaller packets going in the other direction. It's a bit more sophisticated than this but AIUI that's the general gist.

      It isn't 100% accurate, but for most practical purposes it's close enough.

    10. Re:Take 'em offline by hairyfeet · · Score: 3, Insightful

      There is a BIG difference between you running an SMTP server, even if you send out a daily newsletter to a couple of hundred folks, and a spambot cranking out several hundred thousand emails an hour. Not to mention most ISPs have it in their TOS that if you want to run a server you need to be on a business line anyway, so in either case the ISP has reason to dump you.

      As for TFA as a guy who actually fixes the thing for a living it used to be you could actually clean a machine, but not anymore. The rootkits, trojans, all the nasties have gotten so infectious it is pretty much nuke from orbit. Considering how big a bunch of cheap bastards the OEMs are and how everyone ends up with "restore partitions" instead of actual discs I'm just waiting on a bug that infects the restore partitions first thing. Personally that would give me a big happy as it might force the OEMs to actually hand over a disc once in awhile.

      As for it being "indestructible" where have they been? The nasties have been getting sneaky as hell for the past couple of years. Ultimately unless as another poster said they are using them as Bitcoin miners they are gonna HAVE to use the infected person's bandwidth and THAT is where you'll catch them.

      The only thing that worries me about bugs like this using encryption is a friend that works state crime lab says more and more CP pushers are using infected machines as file dumps. With all this encryption it wouldn't surprise me if whomever cooked this up ends up renting out space to the CP scum. Having your door kicked in by the FBI because some fed traced a CP download back to your machine? Not a nice way to spend a weekend I think.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  2. Invisible? by blair1q · · Score: 4, Insightful

    Putting the thing in the MBR just means you can't intercept it during boot.

    It doesn't for a second mean it's invisible.

    1. Re:Invisible? by vux984 · · Score: 3, Insightful

      It can become pretty well invisible to the infected host system though.

      A bootable CD or flash drive should take care of things, but that's a bit of a hassle, since a bootable disc needs to be up to date to detect the latest threats... or perhaps the way to go on this is to checksum the existing known good mbr and then validate it from time to time offline against the checksum.

      Speaking of which... what are people recommending for actually dealing with this sort of stuff...?

    2. Re:Invisible? by schwit1 · · Score: 5, Informative

      http://download.bitdefender.com/rescue_cd/
      http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk10/

      Both of these update from the internet after booting up.

    3. Re:Invisible? by Z34107 · · Score: 4, Informative

      The safest way is nuke it from orbit - boot from your Windows install disk, do a "diskpart clean" to nuke the MBR, and reinstall.

      The easiest way is to just trust that your favorite brand of virus scanner will eventually take care of it.

      Expert mode is make an image of the machine using ImageX, mount it on another PC, clean the virus from the image, and reapply it to the infected computer (after nuking the MBR.)

      For lesser threats, MalwareBytes will take care of most anything, although I usually run ComboFix and HijackThis first.

      Protip: If you're running a modern version of Windows, you don't need a special boot CD. Vista/7 disks boot to a full WinPE environment which will give you a command prompt (press Shift+F10 or wade through the menu), let you repartition your disk (diskpart), write a new boot sector (bootsect), and mount network shares (net use x: \\computer\share). Any install disk can also install and activate any other version of Windows (you can borrow a friend's Home Premium disk to reinstall Ultimate or whatever).

      If you're still rocking XP, the install disk is next to worthless, so go grab a Live CD if you have to do anything interesting.

      --
      DATABASE WOW WOW
    4. Re:Invisible? by Spikeles · · Score: 3, Interesting

      TDSSKiller

      --
      I don't need to test my programs.. I have an error correcting modem.
    5. Re:Invisible? by Zaphod-AVA · · Score: 3, Informative

      That will make the MBR clean on the next boot, but it will reinfect the MBR once Windows loads as well.

    6. Re:Invisible? by cgenman · · Score: 4, Interesting

      Unfortunately, most people who are running a modern version of Windows are doing so because it came on the computer they bought it on. I say unfortunately, because I have yet to see a computer ship with anything but those damned useless "restore" DVD's. It can't fix your system, or perform routine maintenance tasks, or anything useful. And if you've make any alterations to your hardware setup, you can forget it.

      Shipping without an install disk for a paid for pre-installed OS that bundles lots of routine OS functionality on its install disk should be illegal. Or, rather, it should be legal to pass around copies of the install disk to everyone who has the OS.

      --
      The ______ Agenda
  3. Indestructible? by CokeBear · · Score: 5, Funny

    Sounds like a challenge...

    --
    Reality has a liberal bias
  4. GPL Violators! Get em! by Hatta · · Score: 5, Funny

    # When developing the kad.dll module for maintaining communication with the Kad network, code with a GPL license was used â" this means that the authors are in violation of a licensing agreement.

    Somehow I think that's the least of their concerns.

    --
    Give me Classic Slashdot or give me death!
  5. Command and Control by Fractal+Dice · · Score: 3, Insightful

    Isn't command and control the antithesis of indestructability? Any software that can be patched can be destroyed.

    1. Re:Command and Control by pclminion · · Score: 4, Interesting

      You can sign the patches and make it impossible to inject update packets straight into the botnet. A more plausible line of attack would be to find a traditional security vulnerability and exploit it.

  6. Not impossible by Anonymous Coward · · Score: 4, Interesting

    I work at a computer repair shop.

    We frequently encounter computers that are kitted up with boot and rootkits, TDL-4 included. Kaspersky's TDSS killer does a pretty good job of removing this stuff, and it's pretty easy to tell if the MBR as been modified. Just fire up a copy of GMER and you'll be able to tell pretty quickly. I see a lot of people posting stuff about having to wipe drives and start over from scratch. That is simply not necessary. The only reason TDL-4 is such a pain in the ass is because it is decentralized, only communicates with a handful of its infected counterparts at a time and modifies the MBR. Even then, it's not impossible to detect or even remove. Just gotta use the right tools...

    1. Re:Not impossible by fluffy99 · · Score: 5, Insightful

      I work at a computer repair shop.

      We frequently encounter computers that are kitted up with boot and rootkits, TDL-4 included. Kaspersky's TDSS killer does a pretty good job of removing this stuff, and it's pretty easy to tell if the MBR as been modified. Just fire up a copy of GMER and you'll be able to tell pretty quickly. I see a lot of people posting stuff about having to wipe drives and start over from scratch. That is simply not necessary. The only reason TDL-4 is such a pain in the ass is because it is decentralized, only communicates with a handful of its infected counterparts at a time and modifies the MBR. Even then, it's not impossible to detect or even remove. Just gotta use the right tools...

      Sure you got rid of the TDL-4, but what about all the other crap it downloaded? Seriously, if the computer got owned, you can't trust it anymore. You'd never be able to find all the little things like permissions changes and registry tweaks even if you got rid of the trojan's executables. Copy your data files off, scan them really well before introducing them elsewhere, and then reformat the disk. Nuking it from orbit is the only way to be sure.

    2. Re:Not impossible by toygeek · · Score: 3, Insightful

      I do the same kind of work that AC does, and he's right. Its not impossible. Also, I'd like to introduce you to the Real World(TM) where wiping a machine at the drop of the hat isn't always an option.

      --
      Nobodies Prefect
      Tidbits for Techs Technology Blog
  7. I knew this was going to happen by Omnifarious · · Score: 4, Interesting

    Curious Yellow was bound to happen sooner or later. I was wondering what was taking botnet authors so long, and why they were relying on a centralized system like DNS for coordinating their bots.

    --
    Need a Python, C++, Unix, Linux develop
  8. P2P is also its weakness by Dachannien · · Score: 5, Interesting

    The fact that the software maintains itself peer-to-peer is also its greatest weakness, because it allows any infected node to identify other infected nodes. So, you set up a number of honeypots and use those to identify infected machines. You then strongarm those machines' ISPs to disconnect their customers until they get their shit together.

    Yes, the whole "strongarming the ISPs" thing is a flaw in the strategy since it hasn't really been successful to date, but I'm sure Microsoft can come up with a legal solution to that little hitch.

  9. Re:GPL Violators! Get em! by gumbi+west · · Score: 4, Funny

    Think of how they get Al Capone. Noting would make federal prosecutors more interested in the GPL than if they thought it was the best way to nail a bad guy.

    BTW, I like the idea of malware coming with a GPL license agreement and link to the source code.

  10. Re:Lawsuit by Homr+Zodyssey · · Score: 3, Informative

    Time for a car analogy.

    If someone hot-wires my car, and then rams it into a police station, then I'm not liable. The car manufacturer is not liable. The police are not liable. As a matter of fact, its not even my fault if I left the doors unlocked and the engine running. The person responsible is the bastard that stole it and did the damage.

    These viruses and botnets are not spontaneous. They are not random acts of nature. They happen because of bad guys doing bad things. We should all take reasonable precautions, but we shouldn't be held liable for their actions.

  11. Detection and removal by Zaphod-AVA · · Score: 5, Informative

    When they say indestructible, they mean it's more difficult to steal control of the botnet, like they have done with several other hostile networked threats, not that it can't be detected and removed.

    To detect it, run the latest version of GMER.
    http://www.gmer.net/

    To remove it, you need to run a series of three scanners in this order:
    TDSSkiller
    http://support.kaspersky.com/viruses/solutions?qid=208280684

    Combofix
    http://www.bleepingcomputer.com/download/anti-virus/combofix

    and Malwarebytes' Antimalware
    http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;1

    Note that TDL4 is often a blended threat, and has other secondary infections that can cause issues. One of the most common does search redirection that can make it hard to get to the tools to remove it. Most versions of that you can work around by clicking on the Google cache of the site with the tool instead of the link itself.

    As for who to blame, most of the infections installed on people's machines were abusing exploits in Adobe Flash. Keeping up to date helps, but I started installing Flashblock on my client's systems because I was convinced there were unknown Flash exploits.

    -Z

  12. Try TDSS killer! by Falconhell · · Score: 3, Interesting

    I had a bit of trouble removing it with TDSS kiler a few weeks ago, but got there in about half an hour.

    If it wont run you will need the file association reset tool.

    http://support.kaspersky.com/downloads/utils/tdsskiller.zip

  13. Re:Here's an idea by jmorris42 · · Score: 3, Insightful

    > What if someone wrote malware that would run a VM from the boot sector, and
    > then ran your existing OS from the VM?

    You would notice when your 3D performance began to suck ass. And when either all of your devices became virtual ones or all other performance (net, disk, etc) also began to suck ass. Unless you assume a genius who can create a VM environment that works perfectly transparently, has almost zero overhead and otherwise breaks major new ground in the science; and that they waste their time on a virus instead of kicking VMWare, RedHat, QEMU, etcs ass and seizing a multi-billion dollar red hot market segment.

    --
    Democrat delenda est
  14. Re:general purpose computing is dead by drooling-dog · · Score: 3, Interesting

    If magically tomorrow every single Windows box was Linux instead, socially-engineered malware would appear the next day.

    One thing that protects Linux, and that has little to do with the OS itself, is the FOSS ecosystem. Pretty much everything you could want is available for free from trusted repositories, and so there is little or no incentive to download and install warez or other pirated software that may have been tampered with. You would still be right, though, if being the dominant "OS for the masses" implies that a similar proprietary closed-source ecosystem would quickly arise around it.