'Indestructible' rootkit enslaves 4.5m PCs in 3 months One of the world's stealthiest pieces of malware infected more than 4.5 million PCs in just three months, making it possible for its authors to force keyloggers, adware, and other malicious programs on the compromised machines at any time. The TDSS rootkit burst on the scene in 2008 and quickly earned the begrudging respect of …
"Additional changes include a new antivirus feature that rids TDSS-infected machines of 20 rival malware titles, including ZeuS, Gbot, and Optima. It also blacklists the addresses of command and control servers used by these competing programs to prevent them from working properly."
So, in order to detect TDSS, why not intentionally infect your system with enough of the signature from the 20 rival malware products. The malware you use would look like the real thing, but be inert. If you have TDSS on your system, it will react by attempting to clear out the rival malware. I got the idea thinking about the smallpox vaccine. It uses an inert virus to trick the body into producing anti-bodies to defeat the real virii.
Or why not install a low level driver (a phagekit if you will) of your own, such that TDSS identifies a key piece of itself for destruction.... if the piece is system unique (i.e., only critical for TDSS and not for WinCrap/FanBois/Nix) it would be a lead bullet solution (leaves dead bodies around, vs. silver bullet when everything is pristine afterwards). Of course the response by TDSS drones would be to locate TDSS somewhere critical so the phage becomes fatal... but at least you aren't infected anymore!
Or have TDSS add its own control servers to its own blacklist... always a busy signal.
"How many readers still don't realise that this business of "DoD wiping" (multiple passes over the every block with different patterns of data, to ensure any "remanent magnetism" is erased) has been irrelevant since drives were bigger than a few dozen MB ?"
Um, most?
Of course, it depends on exactly why you say it's not an issue, but the most obvious one is that the encoding methods these days are radically different. The original "DoD wiping" algorithm was written with a specific couple of drive types in mind, intended to do maximum amount of damage to the original data. Multiple pass overwrites MIGHT still be useful, but there's really nothing to be gained from writing that particular pattern anymore. I have read papers suggesting tossing in a pass of random data between a pass of ones and a pass of zeros can be worthwhile, but the efficacy of even that is almost certainly still drive specific.
Short version: It takes an amazing amount of resources to try to get /anything/ off of a simple couple passes of ones and zeros. Anything that is going to be recovered will probably be recovered no matter what you do with software, so if you're really paranoid, physically destroy the drive. Personally, I've never been that paranoid on my home drives - I don't want people reading my private life, banking records, etc., but it's never been worth melting the platters down in the off chance the FBI would get a bee in their bonnet.
-d
AC 15:54 again
Nice writeup.
Most of the readers who don't know "DoD wipe is irrelevant" hopefully won't make themselves look silly by trying to sound impressive (and being wrong). Hopefully now more of them know it is irrelevant, and why.
"the encoding methods these days are radically different."
That and the radically different track following methods in anything but antique drives, which mean that there's little chance of retrieving data by positioning the read head slightly "off track", which is part of what "DoD erase" was meant to deal with.
I'm convinced it's a major miracle we get any data off these things at all.
Mind you the DoD themselves probably still insist on DoD erase.
Let's be careful out there.
I prefer physical destruction, a couple of minutes in a hydraulic press and only the infinite resources of the Iranian Guard redirected from the navel gazing pursuit of tying 2000 knots/inch in Persian carpets will recover the data.
If I were truly paranoid though, raising the oxide to the curie temperature is the way to go. Merely melting the platter may not be enough.... depending on the oxide used.
If a resource recovery site is available nearby, one could also watch the drive tossed into an arc furnace. But you usually have to have faith that they really did throw the drive into the waste stream... and that just isn't good enough when paranoia runs deep. Can you really trust that the minimum wage grunt isn't on the &blackhelo payroll? Or even just a wannabe cracker in his/her spare time?
Grub and LILO could be modified so that on installation they filled the whole of the MBR with pseudo-random data, then created a hash of it for subsequent boot tests. If the very first bit of data on the record was also a jump to an actual address somewhere in the middle of this crap the virus would have to do a *lot* of work to hide in there.
Disclaimer
I know nothing!
I laughed when halfway through the Securelist article it said:
However, the system does face [two] major obstacles:
...
2. When developing the kad.dll module for maintaining communication with the Kad network, code with a GPL license was used — this means that the authors are in violation of a licensing agreement.
They are malware authors/distributors, FFS; adding a charge of annoying some open-sourcers seems to be like adding a littering charge to a burglary prosecution! Plus 'major obstacle' to what exactly - selling it in PC World??
(Paris, as she also has two major obstacles to face.)
So why doesn't someone sell a service that has a clean DNS with a nice whitelist?
Yes, it would need an external box in the network path [because the Intel/AMD boxes just can't be trusted by themselves, even TPM is inadequate], and IP addresses would be sent to the cleanDNS also for reverse checking.
OK, so the crackers would change to infecting white list sites with malware to let them behave as control points in addition to whatever their normal use was... and fast flux to evade the laggardly updating of the cleanDNS.
Rats, another solution that won't work.
Not only is this virus a right pain in the proverbial but it's a pain to get rid of too, took me almost a day to work out how to get the little tyke off of an infected PC for one of our customers (though admittedly most that time was running various virus/malware scanners that had little or no effect), a college resorted to FDisking a PC a week earlier, just glad I managed to clean the latest one.
Out of interest a lot of BIOSes have a boot sector protection option that should be enabled once windows is installed (even a lot of old AMIBIOS systems had this 10 years ago), this would prevent infection of the bootsector, halt the system when an infection attempts to take place and pipe an error straight to the Graphics card & internal beeper :)
Have worked in the IT Security industry for over 30 years now, and the only reason Windows is targetted is down to numbers. Creators of these rootkits are in it for PROFIT only.
Were Linux or Mac to hold a 90% share of all home OS's, it would be targetted by and hammered with just as much malware as Windows is now, whilst the Windows owning minority would be crowing about how secure and trouble free their OS was.
Please lets make it clear, from the point of view of this Security expert, ALL operating systems are vulnerable to a determined enough attacker. Mac and Linux have just as many weaknesses as Windows, but it's not as worth while in terms of money to target them when trying to infect home based systems.
As was pointed out earlier, Eternal Vigilance is the only answer. If you beleive you're safe because you run Linux, you are delusional.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
