TLD4 / TDSS an "Indestructible" Botnet?
Kevin R. Smith
That's a quote directly from Kaspersky's analysis of the TDL4 / TDSS bot.The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today.
No matter where you look, this botnet is making news. And it's making even the Conficker/Downadup worm that made big news last year look pretty tame by comparison. Why?
Translation: the TDL-4 is great at hiding itself and great at hiding viruses and other threats from antivirus software.TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center.
TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.
The TDL software itself isn't particularly new, but what's interesting about it is how its creators have evolved it over time, making it harder to detect and stop with each version. This latest version, TLD-4, for instance, is now able to infect 64-bit systems.
So, if you had any sense of additional security from the fact that most viruses still weren't able to attack 64-bit systems, those days are gone.
This botnet is clearly not something garden variety. Kaspersky's researchers go on to say,
What makes it so hard to detect to begin with is that it's a "bootkit": it infects the Windows MBR Master Boot Record.The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and antivirus companies.
And, because the MBR is infected, it runs before the operating system even starts. Huh?
Exactly, and as The Bard says, "there's the rub." Because it's activated before the OS starts, it's also running before your antivirus software, too.
So, how the heck do you detect this thing, much less get rid of it?!
As of the writing of this piece, it's somewhat hit-or-miss as to whether or not a given piece of antivirus software will remove it if you've gotten it. So far, it looks like all the best antivirus software manufacturers have updated their software and/or signatures to detect it.
Even still some of them, including Norton and Kaspersky are considering this such a big threat, they're making specific Popureb / TDL-4 / TDSS removal tools.
Kaspersky Anti-rootkit TDSSKiller
Microsoft's initial advice to remove Popureb (as Microsoft is calling it) according to a Computerworld.com piece was,
This is inline with what Microsoft was telling customers in early 2010 when the Alureon rootkit was first making the rounds. MSRC (Microsoft Security Response Center) director Mike Reavey said at the time,If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state.
Ouch.If customers cannot confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software, the most secure recommendation is for the owner of the system to back up important files and completely restore the system from a cleanly formatted disk.
Depending on who you ask, this is either overkill or, really, the best, most cautious approach.
One researcher for Symantec, Vikram Thakur, says,
If you have any suspicion that you've been infected, a great tool to ferret out a rootkit is, GMER (version 126.96.36.19940 as of this writing.)When you fix the MBR, you pretty much expose the threat itself to other applications, including antivirus applications. They can then pick up on the threat, and delete it.
If you get bad news from GMER it'll look like,
Notably, Microsoft adds a critical part almost as an afterthought,If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state.
Here's how to fix the MBR by hand:
- Open a Windows Recovery Console
- For Windows XP:
Installing and using the Recovery Console in Windows XP
- For Windows Vista:
System Recovery Options in Windows Vista
- For Windows 7:
System Recovery Options in Windows 7
- Use the tool BOOTREC.exe1 to fix the MBR as in:
- Restart the computer and you can then scan the system to remove any remaining malware.
If you opt to use Windows Restore to remove the malware instead, you must still fix the MBR first, and then restore the system.
The bottom line with this thing is, it's no joke. As the Kaspersky researchers put it, it's "the most sophisticated threat today."
If you've been infected, we'd suggest trying to ferret it our first with your antivirus software. If that doesn't work, look to some of the other methods like the GMER and the specific removal tools like those from Symantec and Kaspersky. 1More info on BOOTREC.exe.
The comments to this entry are closed.