|Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better
Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013
Contents : Foreword : Ch01 : Ch02 : Ch03 : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13
Ch10: Remote Access Trojans and Zombie Networks
TDL4, also known as TDSS, is considered to be one of more advanced malware types, not counting malware like Stuxnet, Flame, Gauss and others that are believed to have been created for cyberespionage purposes. It has several versions but the most well covered in press in version 4.
As this is a pretty complex malware it probably will not survive change of Windows version (for example from Windows 7 to 8) or significant patches like Windows service pack. But technologies used will survive.
Hysteria in popular press was both funny and disgusting as if this was the end of the world.
TDL4 includes book virus part that infects the hard disk drive's Master Boot Record (MBR), much like DOS book viruses did. There is nothing new in this idea as it originated in first DOS Boot viruses. The interesting part is this code integrates with Windows code. It is unclear as Windows XP and Windows 7 are much more sophisticated systems then DOS and most probably there is no access to NTFS from boot virus part (it is just too small to have a driver and it is difficult to cut a part of harddrive to install it in some outer tracks.
But from description of previous (BackDoor.Tdss.565_(aka TDL3) you can guess that this is an effort of a well financed organization so they probably have a couple of nasty tricks in their sleeves. Debugging software of this level of complexity is a very challenging task that requires significant resources.
I think that for the same reason (overcomplexity) Windows part detection is not that difficult and has nothing to do with existence of a boot part -- rootkit or no rootkit.
After malware detected the game is simple: reinstallation of the OS or reinstallation of "trusted" backup from bootable media ( see Softpanorama Malware Defense Strategy ). Any of those two methods will wipe it out.
For more information see
June 30, 2011 | www.infoworld.com
Malware and alarmism over its proliferation are nothing new -- and the latest boot-sector rootkit will be cured soon enough
The sophistication of the TDL rootkit and the global expanse of its botnet have many observers worried about the antimalware industry's ability to respond. Clearly, the TDL malware family is designed to be difficult to detect and remove. Several respected security researchers have gone so far as to say that the TDL botnet, composed of millions of TDL-infected PCs, is "practically indestructible."
As a 24-year veteran of the malware wars, I can safely tell you that no threat has appeared that the antimalware industry and OS vendors did not successfully respond to. It may take months or years to kill off something, but eventually the good guys get it right.
This isn't the first time we're supposed to be scared of MBR (master boot record)-infecting malware. In 1987, well before the days of the Internet, the Stoned boot virus infected millions of PCs around the world. Subsequent "improvements" in hacking allowed malware authors to create DOS viruses that could manipulate the operating system to hide themselves from prying eyes. (Actually, the first IBM PC virus, Pakistani Brain did this in 1986, too.) Computer viruses became encrypted and polymorphic, and they started taking data hostage.
With each ratcheting iteration of new malware offense, you had analysts and doomsayers predicting this or that particular malware program would be difficult to impossible to defend against. But each time the antimalware industry and other software vendors responded to defang the latest threat. Yesterday's indestructible virus became tomorrow's historical footnote.
Even today's malware masterpiece, Stuxnet -- as perfect as it is for its intended military job -- could be neutralized if it became superpopular. Luckily, military-grade worms are few and far between, so most users don't have to suffer while waiting for defenses to be developed.
The truth is, like every other malware family variant, TDL and its botnet will probably be around for years to exploit millions of additional PCs. But it didn't take an advanced superbot to do that. Take a look at any monthly WildList tally. It always contains malware programs written years ago.
Today, almost every malware program lives in perpetuity, dying off only when the exploited program or process dies with it. Boot viruses from the 1980s and 1990s didn't stop being a threat until floppy disks and disk drives went away. Macro viruses didn't die until people stopped writing macros and Microsoft Office disabled automacros by default.
No, what really bothers me more are the malware programs that do something completely new because it takes so much longer for antimalware programs, software vendors, and users to adapt to the tactic. For instance, it took us years to teach folks not to open every file attachment to defeat email viruses and worms -- but it takes the bad guys only a few minutes to change strategies. Today, we need to tell folks not to click on the Internet link emailed to them by a trusted friend and not to install random applications sent to them in Facebook or through their mobile phone.
But our biggest threat is an MBR PC-infector? Been there, done that.
This article, "Sorry, but the TDL botnet is not 'indestructible'," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.
September 18, 2012 | Computerworld
Researchers from security vendor Damballa have identified malicious Internet traffic that they believe is generated by a new and elusive variant of the sophisticated TDL4 malware.
The new threat, which has been assigned the generic name DGAv14 until its true nature is clarified, has affected at least 250,000 unique victims so far, including 46 of the Fortune 500 companies, several government agencies and ISPs, the Damballa researchers said in a research paper released Monday.
On July 8, Damballa sensors that operate on the networks of telecommunication operators and ISPs that partnered with the company detected a new pattern of DNS (Domain Name System) requests for non-existent domains. Such traffic suggests the presence on the network of computers infected with malware that uses a domain generation algorithm (DGA),
Some malware creators use DGAs in order to evade network-level domain blacklists and to make their command and control infrastructure more resilient against takedown attempts.
DGAs generate a number of random-looking domain names at predefined time intervals for the malware to connect to. Because the attackers know which domain names their algorithm will generate and access at a future point in time, they can register some of them in advance and use them to issue commands to infected computers.
Even if those domains are later shut down, the overall operation is not affected because the malware will generate and use different domain names in the future.
In collaboration with researchers from the Georgia Tech Information Security Center (GTISC), the Damballa researchers registered some of the domain names the new threat was attempting to access and monitored the traffic it sent to them.
This type of action is known as sinkholing and, in this case, it revealed that the new malware is part of a click-fraud operation that involves rogue advertisements being injected into various websites including facebook.com, doubleclick.net, youtube.com, yahoo.com, msn.com and google.com when opened on infected computers,
An analysis of other domain names registered by the attackers themselves and the networks where they hosted those domains revealed similarities to the command and control infrastructure used by the gang behind the TDL4 malware family.
TDL4, also known as TDSS, is considered to be one of the most sophisticated malware threats ever created and used by cybercriminals -- without counting threats like Stuxnet, Flame, Gauss and others that are believed to have been created by nation states for cyberespionage purposes.
TDL4 is part of a category of malware known as bootkits -- boot rootkits -- because it infects the hard disk drive's Master Boot Record (MBR), the sector that contains information about a disk's partition table and the file systems. The code that resides in the MBR is executed before the OS actually starts.
A new and improved botnet that has infected more than four million PCs is "practically indestructible," security researchers say.
"TDL-4," the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is "the most sophisticated threat today," said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis Monday.
"[TDL-4] is practically indestructible," Golovanov said.
"I wouldn't say it's perfectly indestructible, but it is pretty much indestructible," said Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, in an interview today. "It does a very good job of maintaining itself."
Golovanov and Stewart based their judgments on a variety of TDL-4's traits, all which make it an extremely tough character to detect, delete, suppress or eradicate.
For one thing, said Golovanov, TDL-4 infects the MBR, or master boot record, of the PC with a rootkit -- malware that hides by subverting the operating system. The master boot record is the first sector -- sector 0 -- of the hard drive, where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks.
Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code.
But that's not TDL-4's secret weapon.
What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.
"The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet," said Roel Schouwenberg, senior malware researcher at Kaspersky, in an email reply Tuesday to follow-up questions. "The TDL guys are doing their utmost not to become the next gang to lose their botnet."
Schouwenberg cited several high-profile botnet take-downs -- which have ranged from a coordinated effort that crippled Conficker last year to 2011's FBI-led take-down of Coreflood -- as the motivation for hackers to develop new ways to keep their armies of hijacked PCs in the field.
"Each time a botnet gets taken down it raises the bar for the next time," noted Schouwenberg. "The truly professional cyber criminals are watching and working on their botnets to make them more resilient against takedowns or takeovers."
TDL-4's makers created their own encryption algorithm, Kaspersky's Golovanov said in his analysis, and the botnet uses the domain names of the C&C servers as the encryption keys.
The botnet also uses the public Kad P2P network for one of its two channels for communicating between infected PCs and the C&C servers, said Kaspersky. Previously, botnets that communicated via P2P used a closed network they had created.
- Court rules former Goldman Sachs programmer did not violate federal theft law
- Our future cyberdefenders set to face off
- UK hacker accessed accounts for 20 months before bust
- Visa, MasterCard acknowledge data breach
- Do-it-yourself plan to take down Sality botnet outlined on public mailing list
- ESingles must face reality of LulzSec Reborn's MilitarySingles.com hack, experts say
- Operation Global Blackout: Real danger or irrelevant?
- Microsoft co-founder Paul Allen victim of ID theft
- News International security chief arrested in phone hacking case
- Was LulzSec bust part of a play against Julian Assange?
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: March, 12, 2019