Slashdot Mirror

← Back to Stories (view on slashdot.org)

Most Sophisticated Rootkit Getting an Overhaul

Posted by Soulskill on from the evil-upgrades dept.

jfruhlinger writes "TDL4, a rootkit that helps build a powerful botnet, is pegged by security vendor ESET as one of the most sophisticated pieces of malware in the world. But its creators aren't resting on their laurels; they're rewriting some of the code from the ground up to make it difficult for antimalware to detect it, creating a hidden boot partition that guarantees malware code will be loaded even before the operating system is. It's part of a plan to turn TDL4 into a turnkey product that can be sold to other criminal operations."

19 of 104 comments (clear)

  1. Next up, antimalware built into boot sectors. by Zoson · · Score: 2

    Naturally, we'll just make a boot sector with virus protection code that loads before anything else.

    Yo Dog, I heard you like bootsectors. So I put a bootsector in your bootsector, so you can boot, while you reboot!

    1. Re:Next up, antimalware built into boot sectors. by Hentes · · Score: 2

      Giving the antivirus even more rights is a losing battle, especially with the number of fake antiviruses. What an AV can do, a virus will be developed to do as well. The way to defend against it is to boot the AV from CD, there are some that offer that.

    2. Re:Next up, antimalware built into boot sectors. by bioteq · · Score: 2

      Or, you know, disable the ability to write to the boot sector / partition table without specialized permission.

      One time toggle in the bios means you can write to partition table on next boot. Want to write to it again? Toggle it in bios again.

      Also, why can we write to the partition table and bootsector from userland again?

    3. Re:Next up, antimalware built into boot sectors. by DeadCatX2 · · Score: 3, Interesting

      For real protection, it can't be based in software. It must be a physical switch, like that on floppy disks or SD cards.

      --
      :(){ :|:& };:
    4. Re:Next up, antimalware built into boot sectors. by bioteq · · Score: 3, Interesting

      I'm all for a physical switch.

      Most of my customers would not be, however.

      Then again, I see writing to the partition table / boot sector as on the same level as flashing firmware; it should only be done when absolutely needed and by someone who knows what they're doing and quite qualified. Which would put me rooting for a physical switch even more (I'd have less customers, though).

      But the question still begs: Why are we allowed to write to this stuff from userland? Even with admin / root privs?

    5. Re:Next up, antimalware built into boot sectors. by DeadCatX2 · · Score: 2

      We still have to open the case to clear CMOS. But you're right, this kinda thing would irritate customers (although it may even create more business for you, since they would need technical assistance when rewriting boot sectors).

      And you're also right, you shouldn't be able to write to this stuff from userland. However, malware is pretty good at gaining control of kernelland as well. A userland ban just adds another layer to their payload.

      Requiring physical access is likely to be the only real solution that cannot be compromised remotely.

      --
      :(){ :|:& };:
    6. Re:Next up, antimalware built into boot sectors. by fuzzyfuzzyfungus · · Score: 4, Informative

      This is picking a nit with the examples, rather than the concept; but both floppies and SD cards have a physical switch in only the loosest sense of the term:

      Floppies have no internal logic capable of acting on the switch state, it is entirely up to the floppy drive to sense and obey. SD cards do have an internal controller, and could theoretically enforce write-blocking on themselves; but they don't. Their switch is also just a little plastic tab, and it is entirely up to the reader to sense and obey the tab position. The card's PCB has no connection at all to the switch, and has no way of sensing its position...

  2. Computers must have an emergency-recovery by davidwr · · Score: 4, Interesting

    Computers must have a way to boot to a guarenteed-audited environment for virus scanning.

    Yes, I know that Windows 8 on computers that have "protected" BIOSes meet this requirement but I'm thinking something more general.

    If you turn on a hardware switch labeled "I think I have a virus" and power on your computer, the boot sequence should be:

    Protected BIOS preloader:
    - audits (checks signature of) the BIOS, if signed AND has the "secure" bit set, lets it load, if not signed, loads read-only factory BIOS.

    BIOS (or factory BIOS)
    - audits (checks signature of) bootloader/OS loader from first available boot device. If signed and the "secure" bit is set, lets it load. If not goes on to next device in boot sequence.

    and so on.

    In many cases the user will be presented with "no secure boot device found, insert secure boot device and restart computer" error from the BIOS.

    Inserting a signed vendor operating system install CD or live CD or rescue CD should do the trick.

    Once the system is booted, security software can be downloaded, audited, and run.

    Once the system is clean the user turns off the "I think I have a virus" switch and boots normally.

    --
    Yes, I know this won't cure a virus or rootkit that isn't DETECTED by current security software bit it will keep anything from getting a permanent (as in "throw your computer or drive away") foothold in a system AND it will make it relatively easy for the layman to get rid of such infections.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Computers must have an emergency-recovery by ttong · · Score: 2
      For what CPU architecture will the install/live/rescue OS be compiled? How is it going to download the security software? Will it automatically set up 802.1x/PPPoE with your own chap-secrets/a USB UMTS modem or whatever Internet connection the customer might have?

      I'd rather see a hardware failsafe with a manual override switch which resets the CPU whenever the SATA controller detects a write to a block below, say, 8. It should be done without using an interrupt. This way, an infection is prevented rather then worked around after the fact. Also you get to use your existing OS installation media to fix whatever is left to fix.

  3. Re:secure boot ftw! by meustrus · · Score: 3, Interesting

    Good thing I'm gonna get a win8 machine with secure boot. Fuck these assholes.

    That's what I was thinking. Then I thought, "Gee, this wasn't a big issue before but now that Windows 8 is going to have a feature to kill it, only then does major malware do this?" I hate to sound like a conspiracy nut, but this suggests that some arm of Microsoft might be involved in this. Knowing how Microsoft departments work (see "mexican standoff") it's not too far fetched to think that IF this were going on, 90% of the company wouldn't know.

    On a more salient technical question...exactly how does malware plan on installing a hidden boot partition? Did malware writers figure out how to shrink a live, mounted partition of the hard drive to make space for another one? Or are they just going to take over the "recovery" partition most vendors ship on their computers? Given that the first option is extremely unlikely, this seems like a good reason to suggest that vendors supply an OS install DVD (or read-only USB stick, or embedded read-only flash storage) instead of a recovery partition. Not that it's ever going to happen. Hardware vendors like being able to save on manufacturing (or even licensing) costs for the extra discs, at the expense of space for user data (which doesn't need to be disclosed in advertising). Microsoft is too focused on their secure boot crusade anyway.

    Combining the seeming nuttery with the technical question...what would Microsoft's goal be to create or help the development of this malware? To push secure boot? Why secure boot? To kill Linux? To kill Windows piracy? To help their partners ship unremovable crapware? To turn Windows into an iOS-style walled garden?

    --
    I sometimes ask revealing, often ignorant-seeming questions. Maybe they're harder to answer than you think.
  4. I dont agree with your blanket statement by Marrow · · Score: 2

    Some technologies are created for evil purposes by evil people. They have no beneficial use.
    Sorry, but technology is just a tool and some tools are good for only one thing: Bad.

  5. In addition to that ... by khasim · · Score: 2

    The way to defend against it is to boot the AV from CD, there are some that offer that.

    That's a good start. But there needs to be more. Such as having multiple hashes of the KNOWN files for the OS and apps.

    That way, not only can you check for KNOWN viruses ... but you can verify that the files you have do not have UNKNOWN viruses.

    The only problem (aside from the daily update thing) would be user-created files. So an easy way to move those files from the machine to something like a flash drive would be handy.

    Then do something similar for the registry.

    And you'd have a better way of evaluating anti-virus companies. Which of them identify the most files from the most legitimate vendors and how accurately.

    1. Re:In addition to that ... by LordLimecat · · Score: 2

      That's a good start. But there needs to be more. Such as having multiple hashes of the KNOWN files for the OS and apps.

      Windows has had that for ages, its called Windows File Protection. The problem is that very rarely are the system files themselves attacked-- that is too likely to trigger issues. Almost always, a third party DLL or driver is loaded at startup.

      When system files ARE infected, the automatic file recovery mechanism is usually subverted, and the DLLcache copy of the file is also infected.

      There is no silver bullet for this. Unless you want a walled garden, there will always be the possibility for system infections.

  6. Windows 8 secure boot by jader3rd · · Score: 2

    I know that no one here is will to say a good thing about the proposed Windows 8 secure boot "feature", but isn't this rootkit scenario the one it's trying to prevent? Would the secure boot prevent a user from booting into Windows if rootkit like this was on the computer?

  7. Re:Very creative by fuzzyfuzzyfungus · · Score: 2

    I can't speak for the collective consciousness of Slashdot; but the various 'trusted computing' stuff seems to have exactly the same set of trade-offs now that it did in the 90's: It does make malicious modification(by untrusted 3rd parties, malice by trusted parties actually becomes easier) more difficult; but there isn't an enormous amount of room for optimism about the percentage of devices that will accept the user as the root of trust, rather than whoever the vendor burned in. The number won't be zero, certainly; but it seems only reasonable to expect that the 'trusted' future will be dominated by hardware whose trust list does not include you.

  8. to bad that most business uses will make that lock by Joe_Dragon · · Score: 2

    to bad that most business uses will make that lock down unworkable for quite some time.

    * Most business are just moving over to windows 7 now and I don't see going to windows 8 any time soon.

    * In house apps will take some time to move over to any kind of new ios style app store only system.

    * anti trust laws

    * Lot's of old software that business need.

    * The use of vender systems with there own software / os's

    * Lot's business don't use the OEM install and do there own but the secure boot system can let dell lock you into dell hardware / dell video / dell HDD / other hardware that can cost up to $100 more then buying for any other on line store/ as well locking you into the crap ware loaded dell windows 8 OEM install.

    * The use of Linux

  9. RE: by D'Sphitz · · Score: 3, Interesting

    If there is no free entry in the partition table then the malware reports to the C&C server and terminates.

    So if you make sure you have 4 primary partitions created, you are essentially immune?

  10. Affected platforms .. by microphage · · Score: 2

    Win32/Olmasco.R .. Affected platforms: Microsoft Windows .... enough said .....

  11. Re:Sony called... by Hyperhaplo · · Score: 2

    Sony are going to sue them for... copyright infringement? source code theft? business 'opportunity' theft? corporate impersonation? theft of corporate strategy?

    --
    You have a sick, twisted mind. Please subscribe me to your newsletter.