Slashdot Mirror
Massive Botnet "Indestructible," Say Researchers
CWmike writes "A new and improved botnet that has infected more than four million PCs is 'practically indestructible,' security researchers say. TDL-4, the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is 'the most sophisticated threat today,' said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis on Monday. Others agree. 'I wouldn't say it's perfectly indestructible, but it is pretty much indestructible,' Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, told Computerworld on Wednesday. 'It does a very good job of maintaining itself.' Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code. But that's not TDL-4's secret weapon. What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers. 'The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet,' said Roel Schouwenberg, senior malware researcher at Kaspersky. 'The TDL guys are doing their utmost not to become the next gang to lose their botnet.'"
From TFS:
What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.
So what's the difference between this botnet data, an SSL connection to a bank, or an encrypted email/file?
The answer is you can't tell, and neither can the ISP.
"What about the volume?" Encrypted Bittorrent.
Sounds like a challenge...
Reality has a liberal bias
Netcat, and watching for traffic from a system that you know for a fact isn't sending that kind of traffic.
Without your ISP installing some kind of spyware on your computer to determine if you have torrent or other p2p software installed, they have no way of knowing whether that encrypted p2p traffic coming from your system is a virus, or you trying to download a movie. And as for them determining how many systems are infected? That same netcat... once they know the traffic is there, it is fairly easy to find the source of the traffic, and then to analyse said source. Once they find a way into the network, it's fairly trivial to estimate how many clients are connected to it. Taking over the network is another animal entirely, but figuring out how many are connected to it is relatively easy.
Somehow I think that's the least of their concerns.
Give me Classic Slashdot or give me death!
http://download.bitdefender.com/rescue_cd/
http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk10/
Both of these update from the internet after booting up.
The fact that the software maintains itself peer-to-peer is also its greatest weakness, because it allows any infected node to identify other infected nodes. So, you set up a number of honeypots and use those to identify infected machines. You then strongarm those machines' ISPs to disconnect their customers until they get their shit together.
Yes, the whole "strongarming the ISPs" thing is a flaw in the strategy since it hasn't really been successful to date, but I'm sure Microsoft can come up with a legal solution to that little hitch.
When they say indestructible, they mean it's more difficult to steal control of the botnet, like they have done with several other hostile networked threats, not that it can't be detected and removed.
To detect it, run the latest version of GMER.
http://www.gmer.net/
To remove it, you need to run a series of three scanners in this order:
TDSSkiller
http://support.kaspersky.com/viruses/solutions?qid=208280684
Combofix
http://www.bleepingcomputer.com/download/anti-virus/combofix
and Malwarebytes' Antimalware
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;1
Note that TDL4 is often a blended threat, and has other secondary infections that can cause issues. One of the most common does search redirection that can make it hard to get to the tools to remove it. Most versions of that you can work around by clicking on the Google cache of the site with the tool instead of the link itself.
As for who to blame, most of the infections installed on people's machines were abusing exploits in Adobe Flash. Keeping up to date helps, but I started installing Flashblock on my client's systems because I was convinced there were unknown Flash exploits.
-Z
I work at a computer repair shop.
We frequently encounter computers that are kitted up with boot and rootkits, TDL-4 included. Kaspersky's TDSS killer does a pretty good job of removing this stuff, and it's pretty easy to tell if the MBR as been modified. Just fire up a copy of GMER and you'll be able to tell pretty quickly. I see a lot of people posting stuff about having to wipe drives and start over from scratch. That is simply not necessary. The only reason TDL-4 is such a pain in the ass is because it is decentralized, only communicates with a handful of its infected counterparts at a time and modifies the MBR. Even then, it's not impossible to detect or even remove. Just gotta use the right tools...
Sure you got rid of the TDL-4, but what about all the other crap it downloaded? Seriously, if the computer got owned, you can't trust it anymore. You'd never be able to find all the little things like permissions changes and registry tweaks even if you got rid of the trojan's executables. Copy your data files off, scan them really well before introducing them elsewhere, and then reformat the disk. Nuking it from orbit is the only way to be sure.