Most Sophisticated Rootkit Getting an Overhaul

jfruhlinger writes "TDL4, a rootkit that helps build a powerful botnet, is pegged by security vendor ESET as one of the most sophisticated pieces of malware in the world. But its creators aren't resting on their laurels; they're rewriting some of the code from the ground up to make it difficult for antimalware to detect it, creating a hidden boot partition that guarantees malware code will be loaded even before the operating system is. It's part of a plan to turn TDL4 into a turnkey product that can be sold to other criminal operations."

Sony called...

[seanvaandering]

... please return their call ASAP. They did not leave a message.

Re:Sony called...

[sycodon]

I keep imagining mobs of computer users running down these "creators", much like Qaddafi was, and putting bullets in their heads.

Re:Sony called...

[Luckyo]

I keep imagining these botnet creators hacking reaper drones to put high exlosive missiles into huge mobs of computer users.

Yeah, I was playing orcs must die a moment ago. Connect the dots.

Re:Sony called...

[Hyperhaplo]

Sony are going to sue them for... copyright infringement? source code theft? business 'opportunity' theft? corporate impersonation? theft of corporate strategy?

Next up, antimalware built into boot sectors.

[Zoson]

Naturally, we'll just make a boot sector with virus protection code that loads before anything else.

Yo Dog, I heard you like bootsectors. So I put a bootsector in your bootsector, so you can boot, while you reboot!

Re:Next up, antimalware built into boot sectors.

[Hentes]

Giving the antivirus even more rights is a losing battle, especially with the number of fake antiviruses. What an AV can do, a virus will be developed to do as well. The way to defend against it is to boot the AV from CD, there are some that offer that.

Re:Next up, antimalware built into boot sectors.

[bioteq]

Or, you know, disable the ability to write to the boot sector / partition table without specialized permission.

One time toggle in the bios means you can write to partition table on next boot. Want to write to it again? Toggle it in bios again.

Also, why can we write to the partition table and bootsector from userland again?

Re:Next up, antimalware built into boot sectors.

[DeadCatX2]

For real protection, it can't be based in software. It must be a physical switch, like that on floppy disks or SD cards.

Re:Next up, antimalware built into boot sectors.

[bioteq]

I'm all for a physical switch.

Most of my customers would not be, however.

Then again, I see writing to the partition table / boot sector as on the same level as flashing firmware; it should only be done when absolutely needed and by someone who knows what they're doing and quite qualified. Which would put me rooting for a physical switch even more (I'd have less customers, though).

But the question still begs: Why are we allowed to write to this stuff from userland? Even with admin / root privs?

Re:Next up, antimalware built into boot sectors.

[Hentes]

Also, why can we write to the partition table and bootsector from userland again?

Most BIOSes don't offer a partitioning software so you have to use third party ones.

But giving a one-time permission is a good idea.

Re:Next up, antimalware built into boot sectors.

[jimicus]

We had MBR protection years ago and I believe it's still in most BIOSes. But IIRC it only works if you try writing to the MBR using BIOS routines - which no modern operating system does.

Re:Next up, antimalware built into boot sectors.

[DeadCatX2]

We still have to open the case to clear CMOS. But you're right, this kinda thing would irritate customers (although it may even create more business for you, since they would need technical assistance when rewriting boot sectors).

And you're also right, you shouldn't be able to write to this stuff from userland. However, malware is pretty good at gaining control of kernelland as well. A userland ban just adds another layer to their payload.

Requiring physical access is likely to be the only real solution that cannot be compromised remotely.

Re:Next up, antimalware built into boot sectors.

[Dutch+Gun]

Aren't Microsoft/others working on a solution to prevent modification of the boot sector - essentially, the OS won't boot unless it's properly signed (trusted platform module)? Or is that something different?

Re:Next up, antimalware built into boot sectors.

[TubeSteak]

For real protection, it can't be based in software. It must be a physical switch, like that on floppy disks or SD cards.

There are still more than enough users that can be social engineered into flipping that switch.

Re:Next up, antimalware built into boot sectors.

[fuzzyfuzzyfungus]

This is picking a nit with the examples, rather than the concept; but both floppies and SD cards have a physical switch in only the loosest sense of the term:

Floppies have no internal logic capable of acting on the switch state, it is entirely up to the floppy drive to sense and obey. SD cards do have an internal controller, and could theoretically enforce write-blocking on themselves; but they don't. Their switch is also just a little plastic tab, and it is entirely up to the reader to sense and obey the tab position. The card's PCB has no connection at all to the switch, and has no way of sensing its position...

Re:Next up, antimalware built into boot sectors.

[V!NCENT]

Of course it can be based on software, if the OS requires the entire boot sector to be filled to the very last bit with necessary boot logic.

Overwriting even one bit will make the entire OS unbooteable, and with it the rootkit unrunneable.

Re:Next up, antimalware built into boot sectors.

[V!NCENT]

But not me, which is the point.

Just make sure you're not the low-hanging fruit

Re:Next up, antimalware built into boot sectors.

[capnkr]

About 50% of my business is dealing with the far-end of end users; the ones who have never even heard the term "boot sector", and who if you happen to use that word, begin getting glazed over eyes and looking up at passing birds, or with a smirk on their face, ask if that is where the Klingons come from... They've never seen the "inside of their CPU", yet are exactly the people who would be protected most by such a switch. I think it is an excellent idea, and would bet that it is likely both cheap and easy to implement.

Re:Next up, antimalware built into boot sectors.

[GuldKalle]

Couldn't the rootkit just take control of the actual boot sector, and then present something else to the OS? And isn't the point of modding the boot sector to make the rootkit boot before the OS, thereby making (the first stage of) the rootkit independent of OS?

Re:Next up, antimalware built into boot sectors.

[maxwells_deamon]

I bought an SD card and a card reader to keep Anti-malware tools on. The idea was to use the write protect switch to keep malware from infecting/modifying the contents of the card when inserted into an infected PC.

The first card reader just ignored the switch! I had to buy a second one of a different model/company to be protected.

Re:Next up, antimalware built into boot sectors.

[V!NCENT]

Couldn't the rootkit just take control of the actual boot sector, and then present something else to the OS?

It can't represent the exact same values to the OS, without being larger than the bootsector. Otherwise it can be considdered a bug in the OS.

And isn't the point of modding the boot sector to make the rootkit boot before the OS, thereby making (the first stage of) the rootkit independent of OS?

There is a lot to be learned from OS design in regards to the BIOS. The BIOS also runs next to the OS and it has to reserve some memory. The OS can be made so that, even if the rootkit lies about the free memory footprint for the OS, the OS can do a lot of tricks to outsmart the rootkit and decide to completely crash. This would render the rootkit unusable.

Imagine a BSOD saying "OS corrupted by virus. Boot from OS disk to repair boot sector.".

Byebye rootkits.

Re:Next up, antimalware built into boot sectors.

This means the OS has to know exactly what values have to be in the boot sector.
So either you can only use only approved bootloaders, or the OS has to store somewhere the information about what is the current bootloader stored in the boot sector.
As long as the rootkit knows where this information is stored and generated, it can modify it.
Replace the file, replace the hash, encrypt it, whatever.
You could say use a password, but then you have to enter a password for verifying the bootloader.
At that point the bootloader isn't verified yet, so any rootkit would be in control anyway.

Re:Next up, antimalware built into boot sectors.

[Nikker]

If we moved the MBR to the a section of BIOS and setup a physical switch to allow modifications then that would give us a leg up on most of this garbage.

Re:Next up, antimalware built into boot sectors.

I think it is an excellent idea, and would bet that it is likely both cheap and easy to implement.

Care to offer an implementation then?

I don't see how this could possibly work. If you lock the first 512bytes (partition table on old DOS, won't help you with EFI) then they can just infect the bootsector, the boot sector is at the start of the partition which can be anywhere on the drive, how exactly do you expect a hardware switch to find what it is supposed to be protecting, let alone actually protect it? If you do somehow solve that problem, then they will just infect the boot loader which is a file on the drive so you need some sort of hardware NTFS/FAT/EXT3/BTRFS/UFS/<insert-every-other-filesystem> parser.

If it were easy then it would have been done already, never mind the fact that, HDDs don't HAVE a no-write switch, let alone a separate switch for each of the million sectors.

Re:Next up, antimalware built into boot sectors.

[sFurbo]

There is a lot to be learned from OS design in regards to the BIOS. The BIOS also runs next to the OS and it has to reserve some memory. The OS can be made so that, even if the rootkit lies about the free memory footprint for the OS, the OS can do a lot of tricks to outsmart the rootkit and decide to completely crash.

How would the OS outsmart the rootkit? Wouldn't the rootkit always have the upper hand, being booted first? And wouldn't it be a problem for the OS that it is more static than the rootkits?

Re:Next up, antimalware built into boot sectors.

[crutchy]

yes it can... permissions-based filesystem, locked-down iptables, and some plain old common sense (the software in your head). yes linux machines can be hacked, but its rarely the fault of the software, with most hacks being due to poor configuration. otherwise linux wouldn't be the trusted name in server operating systems that it is.

windows' biggest downfall... lack of a permissions-based filesystem. as soon as this changes, windows will be much more securable (still subject to admin/user sense and competence as always)

Re:Next up, antimalware built into boot sectors.

[V!NCENT]

I said logic, not values.

Re:Next up, antimalware built into boot sectors.

[V!NCENT]

Simple. At install time, the bootsector isn't even touched by the BIOS, so the rootkit does't load. The OS can then know exactly what space it has and hasn't. Based on that, a small piece of the kernel binary could be compiled to make use of these outer edges, to store some pages and some critical logic and values.

When the rootkit launches it must sit next to the BIOS and then launch the OS loader. The OS loader loads the kernel.

The kernel is now going to load random pages with unused logic in the first few MB of RAM it can touch (as it was compiled). And among these random pages, there will be logic that will get used. The rootkit can hide, but eventualy it can't store all these pages and at some point a page has to be loaded or the OS doesn't work anymore. Even if the rootkit stores these pages somewhere else in the RAM, it risks overwriting used RAM and it cannot know what's used because of all the RAM caching today.

Simply put, a virus cannot live without a living host.

Even the BIOS could be engineered so that it tracks how many cycles the CPU has gone threw before being able to ACPI process kernel calls. If this is too much, there has been something else that's going on, meaning infection.

C'mon, be a little more creative...

Re:Next up, antimalware built into boot sectors.

[jhigh]

Requiring physical access is likely to be the only real solution that cannot be compromised remotely.

And even then you would have some user that some hacker social engineered into giving them physical access.

Re:Next up, antimalware built into boot sectors.

[Jumperalex]

So ... it isn't 100% effective so lets not do it?

Compared to "click here to protect from Virus" this is much slightly harder to socially engineer someone into turning off their computer [this may or may not be a requirement], cracking the case, and then to flip a switch. And it also slows the infection process way down. No more spreading by the speed of email or web surfing.

For us geeks, we'll just rig up the switch to operate from outside the case to save us the hassle of pulling a cover :)

Very creative

[msobkow]

As annoying and irritating and downright destructive as malware can be, the techniques used to implement it can be absolutely fascinating. Hackers are the programmers who dive into the system and understand it's weaknesses, finding holes and exploits.

It's the crackers who field that technology destructively that are the problem.

Technology in and of itself is not evil or wrong. It's the abuse of technology that we all need to be concerned about.

Re:Very creative

[bill_mcgonigle]

Technology in and of itself is not evil or wrong. It's the abuse of technology that we all need to be concerned about.

Back in the 90's the groupthink here was very tin-foily about trusted computing hardware. Now, a verified boot doesn't seem like a bad idea.

Re:Very creative

[fuzzyfuzzyfungus]

I can't speak for the collective consciousness of Slashdot; but the various 'trusted computing' stuff seems to have exactly the same set of trade-offs now that it did in the 90's: It does make malicious modification(by untrusted 3rd parties, malice by trusted parties actually becomes easier) more difficult; but there isn't an enormous amount of room for optimism about the percentage of devices that will accept the user as the root of trust, rather than whoever the vendor burned in. The number won't be zero, certainly; but it seems only reasonable to expect that the 'trusted' future will be dominated by hardware whose trust list does not include you.

Re:Very creative

[bill_mcgonigle]

Most of the TSC hardware is field-programmable, at least from what I've read. Factory-burned would be fine. Being able to say, "lock this boot configuration, I think the computer is secure", say before crossing a border checkpoint, would be really helpful.

Most sophisticated indeed

[Baloroth]

"TDL4, a rootkit that helps build a powerful botnet, is pegged by security vendor ESET as one of the most sophisticated pieces of malware in the world.

That we know about.

Stuxnet looked pretty mundane, on the surface. Anyone else wonder how many more such super-sophisticated malware are out there that we have no clue exists?

Re:Most sophisticated indeed

[crutchy]

what's conficker up to nowadays? G, H?

how about the bounty by the consortium of US tech companies on anyone involved in it? $300k, $400k?

http://en.wikipedia.org/wiki/Conficker#Response

Re:secure boot ftw!

Or switch OSes. I'll give you 3 chances to guess which OS these root kits run on. And the first 2 don't count.

Computers must have an emergency-recovery

[davidwr]

Computers must have a way to boot to a guarenteed-audited environment for virus scanning.

Yes, I know that Windows 8 on computers that have "protected" BIOSes meet this requirement but I'm thinking something more general.

If you turn on a hardware switch labeled "I think I have a virus" and power on your computer, the boot sequence should be:

Protected BIOS preloader:
- audits (checks signature of) the BIOS, if signed AND has the "secure" bit set, lets it load, if not signed, loads read-only factory BIOS.

BIOS (or factory BIOS)
- audits (checks signature of) bootloader/OS loader from first available boot device. If signed and the "secure" bit is set, lets it load. If not goes on to next device in boot sequence.

and so on.

In many cases the user will be presented with "no secure boot device found, insert secure boot device and restart computer" error from the BIOS.

Inserting a signed vendor operating system install CD or live CD or rescue CD should do the trick.

Once the system is booted, security software can be downloaded, audited, and run.

Once the system is clean the user turns off the "I think I have a virus" switch and boots normally.

--
Yes, I know this won't cure a virus or rootkit that isn't DETECTED by current security software bit it will keep anything from getting a permanent (as in "throw your computer or drive away") foothold in a system AND it will make it relatively easy for the layman to get rid of such infections.

Re:Computers must have an emergency-recovery

[JBMcB]

Isn't that partially what TPM does? I think my Thinkpad (heh) has an option to lock out the boot device if the boot sector or bios settings were altered without authenticating to the TPM.

Re:Computers must have an emergency-recovery

[ttong]

For what CPU architecture will the install/live/rescue OS be compiled? How is it going to download the security software? Will it automatically set up 802.1x/PPPoE with your own chap-secrets/a USB UMTS modem or whatever Internet connection the customer might have?

I'd rather see a hardware failsafe with a manual override switch which resets the CPU whenever the SATA controller detects a write to a block below, say, 8. It should be done without using an interrupt. This way, an infection is prevented rather then worked around after the fact. Also you get to use your existing OS installation media to fix whatever is left to fix.

Re:Computers must have an emergency-recovery

[davidwr]

For what CPU architecture will the install/live/rescue OS be compiled?

That's like asking "for what CPU architecture will the OS be compiled"? - for the target machine.

If I'm a PC vendor and I'm selling Intel-compatible PCs with known motherboards, the rescue system will be one that can bootstrap to a stripped-down OS. If I'm a major vendor with close ties to Microsoft it will probably be a "live rescue DVD" provided to me by Microsoft. If I'm someone else it might be Linux or *nix-based.

It will have appropriate network drivers built in so it will be able to go out to a known location and download and verify known-good security software and run it.

As far as Internet connections, the future is one where the router or similar device takes care of authenticating to the ISP, and the computer just sees a DHCP server.

However, you do have a point, quite a few people will be "left out" if they have to depend on an Internet that they can't log into.

Re:Computers must have an emergency-recovery

Yes, reset the CPU during operation.
That won't cause any problems at all.
Unless you don't mind all kinds of data loss the OS should be notified.
Of course if data loss is not important, or at least less important then an infection, this might work.

Re:Computers must have an emergency-recovery

[davidwr]

Well, it's not much worse for your data than your average kernel panic/BSOD/equivalent.

I say "not much worse" because some OSes do a good memory-dump when they panic and *conceivably* some data can be retrieved from that which would otherwise be lost on a computer reset.

Now, he did say CPU reset, which is far different than a computer reset. It also begs the question: Which CPU should be reset if there is more than one?

Re:Computers must have an emergency-recovery

>>BIOS (or factory BIOS) .. you see the fail there ? Which factory did you have in mind ?

Just FYI, i have been in factories where bootloader code gets transported to the production line in a briefcase, which gets plugged in by a trusted personnel, and gets watched over during the full production run, while the code gets burned into the ROM. The chips in question though were for relatively security critical embedded application.

I'm not sure i would trust a random ARM or MIPS CPU licensee for example to offer that level of security guarantee off their EVERY production line..

Long story short, just because its burned into the chip ROM, does not mean that there was not an opportunity to tamper with the code somewhere along the way from the developer to consumer.

Re:Computers must have an emergency-recovery

[crutchy]

it already exists... its called a compact disc (or CD for short), and you can boot it by changing a BIOS setting. just chuck in a Linux live CD. works wonders for me (on windows machines)

Re:Computers must have an emergency-recovery

[davidwr]

>>BIOS (or factory BIOS) .. you see the fail there ? Which factory did you have in mind ?

The goal is to recover from a post-point-of-sale infection or at least a post-factory-floor infection.

Defects like fixing deliberately-insecure factory-default BIOSes are outside of the scope of this solution.

The recommended solution for an otherwise-unrecoverable pre-sale infection involves purchasing a new computer and sending land-sharks or government consumer-watchdog authorities after the offending company.

Re:Computers must have an emergency-recovery

[davidwr]

This works fine as long as your BIOS hasn't been updated with an infected version.

Re:Computers must have an emergency-recovery

[ttong]

So your solution applies to the Compaqs and Dells but not custom-built PCs, I think the big vendors will just say something along the lines of "we include a free version of $shitty_antivirus, so we don't need this". And then continue to charge extra for support plans, so the "stupid tax" works (clueless customers pay extra).

A simple hardware solution without any software support would be far superior. Sometimes, the more low-tech the solution is the greater the chance that it'll actually work.

Re:Computers must have an emergency-recovery

[crutchy]

There's some very useful info about Mebromi here:
http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/

It only affects Windows machines with Award BIOS's and seems to be pretty hard to get rid of. Maybe this level of infection will someday force Microsoft to consider implementing a permissions-based filesystem to reduce the possibility of this type of infection in the first place.

Cheapest/easiest solution: buy a new mobo.
You may also be able to flash a backup using a Linux live CD as Mebromi is a Windows infector. If the virus infects Linux, use an MS-DOS boot disk (assuming there's an MS-DOS fversion of your BIOS flash utility). Never used it, but there's some info here:
http://www.bay-wolf.com/bootcd-bios.htm

Best prevention: disable BIOS flashing in your setup (if YOU need to flash your bios, enable it, flash, and then disable again).

Re:Computers must have an emergency-recovery

[ttong]

Good one. Maybe it's better to reverse the attack, kill the controller until it power cycles. The obvious downside is that the attack would still run and could still perform other steps to take over the boot process. But then, dealing with malware has always been a game of cat-and-mouse. You take the _least_ effort measure against today's malware, and then pass on the ball. A "perfect" solution would be absolutely devastating, because 30 years into the game the malware authors continue to remain one step ahead. Supposedly TPM would solve this, but it's a very complex hardware solution. If -- or rather when -- a weakness is found, then what do we do? Longer keys? Back to the old cat-and-mouse but in hardware, no thanks.

Re:Computers must have an emergency-recovery

Two problems: 1) as soon as the private key you're checking against is leaked, the whole thing is kind of pointless; 2) it's not possible under your scheme for Linux or any other free operating system to be considered "secure" because there's no trusted organization to sign the bootloader. When you say "signed vendor operating system" you really mean "signed Microsoft operating system".

A simpler system would be:

- Allow the user to easily reflash the BIOS from read-only factor ROM.

That's it!

Once you've done that it's trivial to pop in a rescue CD, live CD or installation CD.

Hackers crackers

Give it up mate

Re: If This Is A Bad Botnet: +4, Ingenious

[Jeng]

So why don't good people write a program that can seek out these bad ones and kill them?

There are people who do, such as those who maintain Spybot Search and Destroy.

Re:secure boot ftw!

[meustrus]

Good thing I'm gonna get a win8 machine with secure boot. Fuck these assholes.

That's what I was thinking. Then I thought, "Gee, this wasn't a big issue before but now that Windows 8 is going to have a feature to kill it, only then does major malware do this?" I hate to sound like a conspiracy nut, but this suggests that some arm of Microsoft might be involved in this. Knowing how Microsoft departments work (see "mexican standoff") it's not too far fetched to think that IF this were going on, 90% of the company wouldn't know.

On a more salient technical question...exactly how does malware plan on installing a hidden boot partition? Did malware writers figure out how to shrink a live, mounted partition of the hard drive to make space for another one? Or are they just going to take over the "recovery" partition most vendors ship on their computers? Given that the first option is extremely unlikely, this seems like a good reason to suggest that vendors supply an OS install DVD (or read-only USB stick, or embedded read-only flash storage) instead of a recovery partition. Not that it's ever going to happen. Hardware vendors like being able to save on manufacturing (or even licensing) costs for the extra discs, at the expense of space for user data (which doesn't need to be disclosed in advertising). Microsoft is too focused on their secure boot crusade anyway.

Combining the seeming nuttery with the technical question...what would Microsoft's goal be to create or help the development of this malware? To push secure boot? Why secure boot? To kill Linux? To kill Windows piracy? To help their partners ship unremovable crapware? To turn Windows into an iOS-style walled garden?

Re:secure boot ftw!

BeOS. FreeBSD. Linux. Did I win?

I dont agree with your blanket statement

[Marrow]

Some technologies are created for evil purposes by evil people. They have no beneficial use.
Sorry, but technology is just a tool and some tools are good for only one thing: Bad.

Re:I dont agree with your blanket statement

... [Some technologies] have no beneficial use. ... [Some] tools are good for only one thing: Bad.

I'm unable to think of an example which satisfies these statements: even botnets could be co-opted for use in an enterprise environment, to help lock down corporate computers and data.

Did you have an example of a purely-evil tool you were thinking of?

Re:I dont agree with your blanket statement

Did you have an example of a purely-evil tool you were thinking of?

Skynet!

Re:I dont agree with your blanket statement

Not OP, but purely evil tools that come to mind would be torture instruments and the like. I can't possibly fathom a valid non-evil use for an Iron Maiden or Brazen Bull (well, perhaps the latter to cook actual food, but that's just silly).

In regards to computing specifically, the programming for the pop-under ad comes to mind. I can't possibly fathom a valid use for opening up a separate window and hiding it under your current window without your requesting as such... or more specifically even when you're actively doing everything you can in your system (noscript, adblock) to stop that from happening.

Re:I dont agree with your blanket statement

Once Skynet became sentient it was no longer a tool.

Re:I dont agree with your blanket statement

[rvw]

... [Some technologies] have no beneficial use. ... [Some] tools are good for only one thing: Bad.

I'm unable to think of an example which satisfies these statements: even botnets could be co-opted for use in an enterprise environment, to help lock down corporate computers and data.

Did you have an example of a purely-evil tool you were thinking of?

Biochemical weapons. Weapons of mass destruction. Nerve gas, Agent Orange.

Re:I dont agree with your blanket statement

[sFurbo]

We have used myxomatosis to control the rabbit population of Australia, I guess that counts as a biochemical weapon, but not the same as we would use for humans, so the tool is different.
Nuclear bombs have given us the most peaceful 60 years in humanities history (the years leading up to WW1 rivals that, but I don't think 60 years of them do), and is currently our best bet for accelerating a spaceship to any useful fraction of the speed of light.
Nerve gasses can be used as insecticides, and have given us a lot of knowledge about nerves. They could be useful as medicine, but I don't think they have been used in that respect.
Agent orange is a herbicide (but it should be produced with better process control, to avoid dioxin formation).

I guess biochemical weapons for use against humans are the only one of your examples that I can find no good use for, though I am sure there are more out there.

Re:I dont agree with your blanket statement

[crutchy]

even torture tools can be used for the greater good. turture a villain's assistant to give up the location of a villain for example. even nuclear weapons are good for protecting the world (ok more due to fear of self-annihalation).

technology is a double-edged sword. whatever can be used for good can also be used for evil, and vice versa. its only limitation is creativity and immagination, and the combined immagination of all of humanity is pretty vast, so if you think you've developed something that could only be used for good, it is a certainty that someone in the world could use it for evil (and vice versa)

Re:I dont agree with your blanket statement

[crutchy]

if my country was invaded by americans, i wouldn't hesitate to consider the use of biochemical weapons (they might not be good for the americans, but they would be good for me)

everything must be put in perspective

Re:secure boot ftw!

Funny, but no.

RTFA:
"There are many things that make TDL4 stand out from the crowd of rootkits currently plaguing the Internet. Its ability to infect 64-bit Windows systems, its use of the public Kad peer-to-peer network for command purposes and its Master Boot Record (MBR) safeguard component are just some of them."

Good old days

[Lefty2446]

So we're getting back to the good old days where you needed to wipe the first couple of megs of the disk with a MS debug trick and re-partition to get rid of some of the viruses.

In addition to that ...

[khasim]

The way to defend against it is to boot the AV from CD, there are some that offer that.

That's a good start. But there needs to be more. Such as having multiple hashes of the KNOWN files for the OS and apps.

That way, not only can you check for KNOWN viruses ... but you can verify that the files you have do not have UNKNOWN viruses.

The only problem (aside from the daily update thing) would be user-created files. So an easy way to move those files from the machine to something like a flash drive would be handy.

Then do something similar for the registry.

And you'd have a better way of evaluating anti-virus companies. Which of them identify the most files from the most legitimate vendors and how accurately.

Re:In addition to that ...

[Hentes]

An OS is not a static thing. It gets updated, users configure it etc. Unless you want a foolproof system for office use with locked in users.

Re:In addition to that ...

the name escapes me atm ... one of me senior year security classes, there was a linux package, mad a md5 has of all the system files then kept a db of them all. there was some mechanism for updates. great for info assurance etc.

Re:In addition to that ...

[LordLimecat]

That's a good start. But there needs to be more. Such as having multiple hashes of the KNOWN files for the OS and apps.

Windows has had that for ages, its called Windows File Protection. The problem is that very rarely are the system files themselves attacked-- that is too likely to trigger issues. Almost always, a third party DLL or driver is loaded at startup.

When system files ARE infected, the automatic file recovery mechanism is usually subverted, and the DLLcache copy of the file is also infected.

There is no silver bullet for this. Unless you want a walled garden, there will always be the possibility for system infections.

Re:In addition to that ...

[crutchy]

the first thing any malware would target is the program that keeps track of the hashes (first offense is self-defense)

same as why disabling of common antivirus software is usually the prime target of the more sophisticated viruses

no matter how many layers of protection you add, the malware would always be designed to disable the top level

infection also doesn't need to be file-based. in this day and age many computers are left running for days or weeks at a time, so malware can do a hell of a lot of damage from residence in memory only

also, how trustworthy can any anti-virus company be given that they make money from the infection of computers rather than prevention of that infection (if computers were never infected nobody would bother paying for anti-virus). i would bet that many viruses are developed (though not necessarily released) from within anti-virus companies in the same way as biological viruses are developed by biotech companies. its like trusting a company that makes guns to protect you from being shot (pretty dumb right?).

Re:secure boot ftw!

Every major OS now can shrink a mounted partition out of the box. OS X's partitioner has at least been able to do it since 2006 (it's used for Bootcamp). Windows added the ability with Windows 7 and I don't even know how long Parted has had that ability on Linux.

Windows 8 secure boot

[jader3rd]

I know that no one here is will to say a good thing about the proposed Windows 8 secure boot "feature", but isn't this rootkit scenario the one it's trying to prevent? Would the secure boot prevent a user from booting into Windows if rootkit like this was on the computer?

Re:Windows 8 secure boot

[slacker775]

I can't say that I've followed the whole secure boot thing too closely, but if history tells us anything, you just KNOW that it will be designed/implemented wrong and will be hacked around before you know it. I would not count on it being your be-all-end-all protection mechanism.

Re:Windows 8 secure boot

[nzac]

(While I am sure that they are skilled enough to exploit latest privilege escalation bug in the linux kernel,) it still takes windows to give it access to the hardisk like that to begin with. This is ignoring that you have to get Linux to execute the code in first place.

MS hurting Linux to fix their own security problem makes it still easy to blame them.

Assuming the root kit keeps your home partition intact (you would not be turning your computer on to often if it did not) this should be easy enough to fix.

Re:Windows 8 secure boot

Among other things, yes. It does deter rootkits in a similar sense that having an omnipresent police state tends to deter thieves and muggers. Yet one wouldn't want to live in a police state, even if that meant there would be no thieves or muggers.

to bad that most business uses will make that lock

[Joe_Dragon]

to bad that most business uses will make that lock down unworkable for quite some time.

* Most business are just moving over to windows 7 now and I don't see going to windows 8 any time soon.

* In house apps will take some time to move over to any kind of new ios style app store only system.

* anti trust laws

* Lot's of old software that business need.

* The use of vender systems with there own software / os's

* Lot's business don't use the OEM install and do there own but the secure boot system can let dell lock you into dell hardware / dell video / dell HDD / other hardware that can cost up to $100 more then buying for any other on line store/ as well locking you into the crap ware loaded dell windows 8 OEM install.

* The use of Linux

Re:secure boot ftw!

Ironically, that's the most mature comeback I'eve ever seen from a gamertard windows user.

Easy enough

To scan for a hidden partition and examine the contents

Re:Easy enough

[bmo]

This.

Boot clean media from a thumbdrive.

"Oh look, a "sekrit" partition"

*delete*

Problem, malware writer?

--
BMO

What ?

[CharlyFoxtrot]

A complete rewrite ? Don't these guys read Joel On Software ? They're going to ruin their ... oh, um carry on.

RE:

[D'Sphitz]

If there is no free entry in the partition table then the malware reports to the C&C server and terminates.

So if you make sure you have 4 primary partitions created, you are essentially immune?

I don't agree

[gosand]

I don't know if I'd call Mark Zuckerberg *evil* per se...

Hence the "daily updates" part.

[khasim]

An OS is not a static thing. It gets updated, users configure it etc.

Hence the line about "daily updates" in my post.

You boot the CD and it checks the anti-virus vendor's site for the latest information on what files are where with which hashes. That includes the OS and the applications.

With that, the only place the crackers can hide the viruses are in the user's files. And those files SHOULD be easily movable to a flash drive or such.

Re:Hence the "daily updates" part.

[LordLimecat]

With that, the only place the crackers can hide the viruses are in the user's files.

That is not correct. As I noted in the post above, Windows already HAS a file protection mechanism built in (has since Windows 2000), but it can be subverted like any other mechanism can. There IS no foolproof in computing.

live partition shrinking is not hard

[davidwr]

exactly how does malware plan on installing a hidden boot partition?

In principle, it's not hard once you get control of the system.

Step 1. Get control of system. If this is a problem for your virus then it is lame. Don't bother with the rest, it's over your head.

Step 2. While the system is running seemingly normally, locate un-partitioned space. If there is enough skip to step 6.

Step 3. Locate space at the end of a primary partition. If needed move any user data and meta-data out of that space to elsewhere. Make sure the space remains unused until you finish step 4.

Step 4. Schedule a change in the filesystem size on next reboot, wait for reboot, change filesystem size. OR if the OS allows it, just change the filesystem size.

Step 5. Schedule a change in the partition size on next reboot, wait for reboot, change partition size. OR if the OS allows it, just change the partition size.

Step 6. Create a new partition and mark it hidden. Put whatever you want on it. Mark it active.

I know I left out some housekeeping chores, like making sure there is a free entry in the partition table and a host of other little things.

Get with the program :)

[davidwr]

So we're getting back to the good old days where you needed to wipe the first couple of megs of the disk with a MS debug trick

I think today's version is

dd if=/dev/zero of=/dev/sda bs=1M count=2

Re:

That is why we are moving to GPT. I guess that that would work until you get new computer.

Re: If This Is A Bad Botnet: +4, Ingenious

[flappinbooger]

I don't see spybot SD installing itself and spreading automatically....

What?

Isn't this supposed to be a secret or something?

Re:

Or 3 primary and 1 extended, which is how I ended up having to partition my netbook:

1) Win Boot Part
2) Win7 OS Part+Wubi
3) Extended
a) Linux /home
b) Linux swap
c) Win8 OS Part
4) Factory Recovery

Affected platforms ..

[microphage]

Win32/Olmasco.R .. Affected platforms: Microsoft Windows .... enough said .....

Re:Affected platforms ..

Does this mean my Linux box won't get to play google re-direct bingo?

Re:secure boot ftw!

[doccus]

The only thought that comes to mind is how nice it was of the malware creators to give everybody the heads up on what they're currently working on.. Just so, you know , we can have a fix for it right away... (!)

Some more ideas

a. Make your own open BIOS, protect changing the BIOS settings without proper authorization (I mean booting with USB stick), then boot the system from the BIOS.
b. Overwrite the boot sector from the one stored in BIOS.
c. Boot from a USB stick which overwrites the disk boot sector every time. (Bonus: sha1 check the binaries on the disk too, without booting the system)

I'd go for c, since it has physical security in there too.

These ideas under GNU GPLv3.

Re:secure boot ftw!

[crutchy]

what does "marketshare" mean for a free OS such as GNU/Linux?

even with Microshaft's coercive sales tactics, usage of Linux shits all over windoze... datacenters, set-top boxes, android phones, routers, nas drives, etc.
most homes would have one or maybe two windows machines, but would also have at a minimum two linux devices (tv/set-top box and modem-router), and that's not including all the corporate stuff that linux has infiltrated

it will never be "year of the linux desktop", but it is "year of the linux device" every year. Linux doesn't need marketshare to put windoze to shame - Microshaft/Windoze brings shame to itself better than anything else could ever hope for. so what if microsoft makes a shitload of money; so do mafias, nazis and drug cartels.

oh, and you do care or you wouldn't be so obviously offended

windick

iNTEL/(cough)McCoffee SURFBOOT (tm)

I just picked up the new iNTeL-Asus "just fuckin boot it!" v9.7 Mainboard.
I should be good to go for 10 years.
now get to your pencils and track those C&C servers,
share your lists and round us up,
off to the fema camps, in the sun and the mud,
where ever she stops nobody knows.

Ah profit of dooms,
go long - dhs,tsa,online_ID_license, kaspersky,facebook,nsa,oracle,databases
going long - swat team equipment, gas masks, broken marble, glass, and cement, chemicals, and lead
going short - 201K, 401K, USDX, bonds,

Oh how shall ye clone ye hard drive when all hard drive factory are destroyed?
short - western digital,maxtor
short - raw materials

Keep going slashdot, it's almost here now.

Re:secure boot ftw!

[WorBlux]

Secure has potential to be a really useful tech, if the OEM's let the users manage the keys.

Re:

Wait, we're moving to GPT so that boot sector malware doesn't get cockblocked?

Easy workaround

[CSMoran]

Boot from a write-protected floppy which is always in the drive. The boot sector of the floppy loads a tiny piece of code that checks the checksum on the parition table and MBR and alerts you that it changed. Problem solved. Until they stop producing floppy drives, that is.

Re:secure boot ftw!

Do you know where you are?