TLD4 / TDSS an "Indestructible" Botnet?


« Fake Security Software Scammers Nabbed by FBI | Main | [Alert] Free "Smiley" hats & Free Vans shoes a Scam »

06/30/2011



TLD4 / TDSS an "Indestructible" Botnet?

Kevin R. Smith
Co-Editor


The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today.
That's a quote directly from Kaspersky's analysis of the TDL4 / TDSS bot.

No matter where you look, this botnet is making news. And it's making even the Conficker/Downadup worm that made big news last year look pretty tame by comparison. Why?

TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center.

TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.
Translation: the TDL-4 is great at hiding itself and great at hiding viruses and other threats from antivirus software.

The TDL software itself isn't particularly new, but what's interesting about it is how its creators have evolved it over time, making it harder to detect and stop with each version. This latest version, TLD-4, for instance, is now able to infect 64-bit systems.

So, if you had any sense of additional security from the fact that most viruses still weren't able to attack 64-bit systems, those days are gone.

This botnet is clearly not something garden variety. Kaspersky's researchers go on to say,
The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and antivirus companies.
What makes it so hard to detect to begin with is that it's a "bootkit": it infects the Windows MBR Master Boot Record.

And, because the MBR is infected, it runs before the operating system even starts. Huh?

Exactly, and as The Bard says, "there's the rub." Because it's activated before the OS starts, it's also running before your antivirus software, too.

So, how the heck do you detect this thing, much less get rid of it?!

As of the writing of this piece, it's somewhat hit-or-miss as to whether or not a given piece of antivirus software will remove it if you've gotten it. So far, it looks like all the best antivirus software manufacturers have updated their software and/or signatures to detect it.

Even still some of them, including Norton and Kaspersky are considering this such a big threat, they're making specific Popureb / TDL-4 / TDSS removal tools.

Norton Bootable Discovery Tool
Kaspersky Anti-rootkit TDSSKiller

Microsoft's initial advice to remove Popureb (as Microsoft is calling it) according to a Computerworld.com piece was,
If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state.
This is inline with what Microsoft was telling customers in early 2010 when the Alureon rootkit was first making the rounds. MSRC (Microsoft Security Response Center) director Mike Reavey said at the time,
If customers cannot confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software, the most secure recommendation is for the owner of the system to back up important files and completely restore the system from a cleanly formatted disk.
Ouch.

Depending on who you ask, this is either overkill or, really, the best, most cautious approach.

One researcher for Symantec, Vikram Thakur, says,
When you fix the MBR, you pretty much expose the threat itself to other applications, including antivirus applications. They can then pick up on the threat, and delete it.
If you have any suspicion that you've been infected, a great tool to ferret out a rootkit is, GMER (version 1.0.15.15640 as of this writing.)

If you get bad news from GMER it'll look like,
As far as an official Microsoft response, the Microsoft Technet blog on Popureb.E says,
If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state.

Here's how to fix the MBR by hand:
  1. Open a Windows Recovery Console
  2. Use the tool BOOTREC.exe1 to fix the MBR as in:

    bootrec.exe /fixmbr

  3. Restart the computer and you can then scan the system to remove any remaining malware.
Notably, Microsoft adds a critical part almost as an afterthought, If you opt to use Windows Restore to remove the malware instead, you must still fix the MBR first, and then restore the system.

The bottom line with this thing is, it's no joke. As the Kaspersky researchers put it, it's "the most sophisticated threat today."

If you've been infected, we'd suggest trying to ferret it our first with your antivirus software. If that doesn't work, look to some of the other methods like the GMER and the specific removal tools like those from Symantec and Kaspersky. 1More info on BOOTREC.exe.

Posted by Kevin R. Smith at 06:37:35 PM in Bootkit , Botnet , Norton , Rootkit , Virus-Removal

Comments

You can follow this conversation by subscribing to the comment feed for this post.

Is this threat still at large? I better get protected. The effects of this malware seems to be devastating.

Posted by: | 03/11/2012 at 11:56 PM

We better be careful with this threat. I hope it's already solved.

Posted by: | 03/20/2012 at 11:27 PM

The comments to this entry are closed.