Slashdot Mirror

← Back to Stories (view on slashdot.org)

Most Sophisticated Rootkit Getting an Overhaul

Posted by Soulskill on from the evil-upgrades dept.

jfruhlinger writes "TDL4, a rootkit that helps build a powerful botnet, is pegged by security vendor ESET as one of the most sophisticated pieces of malware in the world. But its creators aren't resting on their laurels; they're rewriting some of the code from the ground up to make it difficult for antimalware to detect it, creating a hidden boot partition that guarantees malware code will be loaded even before the operating system is. It's part of a plan to turn TDL4 into a turnkey product that can be sold to other criminal operations."

1 of 104 comments (clear)

  1. Computers must have an emergency-recovery by davidwr · · Score: 4, Interesting

    Computers must have a way to boot to a guarenteed-audited environment for virus scanning.

    Yes, I know that Windows 8 on computers that have "protected" BIOSes meet this requirement but I'm thinking something more general.

    If you turn on a hardware switch labeled "I think I have a virus" and power on your computer, the boot sequence should be:

    Protected BIOS preloader:
    - audits (checks signature of) the BIOS, if signed AND has the "secure" bit set, lets it load, if not signed, loads read-only factory BIOS.

    BIOS (or factory BIOS)
    - audits (checks signature of) bootloader/OS loader from first available boot device. If signed and the "secure" bit is set, lets it load. If not goes on to next device in boot sequence.

    and so on.

    In many cases the user will be presented with "no secure boot device found, insert secure boot device and restart computer" error from the BIOS.

    Inserting a signed vendor operating system install CD or live CD or rescue CD should do the trick.

    Once the system is booted, security software can be downloaded, audited, and run.

    Once the system is clean the user turns off the "I think I have a virus" switch and boots normally.

    --
    Yes, I know this won't cure a virus or rootkit that isn't DETECTED by current security software bit it will keep anything from getting a permanent (as in "throw your computer or drive away") foothold in a system AND it will make it relatively easy for the layman to get rid of such infections.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.