Ping: Dustin Cook - How would *you* find this rootkit?

[~BD~]

One of the world's stealthiest pieces of malware infected more than 4.5
million PCs in just three months, making it possible for its authors to
force keyloggers, adware, and other malicious programs on the
compromised machines at any time.



'Indestructible' rootkit enslaves 4.5m PCs in 3 months


The TDSS rootkit burst on the scene in 2008 and quickly earned the
begrudging respect of security experts for its long list of highly
advanced features. It is virtually undetectable by antivirus software,
and its use of low-level instructions makes it extremely hard for
researchers to conduct reconnaissance on it. A built-in encryption
scheme prevents network monitoring tools from intercepting
communications sent between control servers and infected machines.

The latest TDL-4 version of the rootkit, which is used as a persistent
backdoor to install other types of malware, infected 4.52 million
machines in the first three months of this year, according to a detailed
technical analysis published Wednesday by antivirus firm Kaspersky Lab.

Additional changes include a new antivirus feature that rids
TDSS-infected machines of 20 rival malware titles, including ZeuS, Gbot,
and Optima. It also blacklists the addresses of command and control
servers used by these competing programs to prevent them from working
properly.

Like the Popureb trojan and the Torpig botnet (aka Sinowal and Anserin),
it also infects the master boot record of a compromised PC's hard drive,
ensuring that malware is running even before Windows is loaded.

Ref: http://www.theregister.co.uk/2011/06...reon_advances/

--
Dave - I find the bit about riding infected machines of rival malware
rather interesting. That's what I suggested a malware /cleaning/ product
might do! How would one ever know it had happened?!!

[Mike Easter]

a.p.s only - no daft x-post to unrelated groups like a BD troll.

~BD~ wrote:

> The latest TDL-4 version of the rootkit,

The problems are/ start with/ detection. If you can detect a boot sector
problem/condition, then you have to 'get rid of' - zero or perhaps
replace - the boot sector which is followed by creation of a new boot
sector and operating system.


--
Mike Easter

[~BD~]

Mike Easter wrote:
> a.p.s only - no daft x-post to unrelated groups like a BD troll.

Adding an additional 34 readers is hardly trolling!

alt.politics.scorched-earth alt.politics.scorched-earth@googlegroups.com
Language: English
34 subscribers, Messages per month: 4267, Usenet

http://groups.google.com/groups/dir?...ched-earth%2C&

>
> ~BD~ wrote:
>
>> The latest TDL-4 version of the rootkit,
>
> The problems are/ start with/ detection. If you can detect a boot sector
> problem/condition, then you have to 'get rid of' - zero or perhaps
> replace - the boot sector which is followed by creation of a new boot
> sector and operating system.

The problem, surely, is knowing why one *should* look for a problem in
the first place! If all appears quite /normal/ to a computer user ...!!!

[Mike Easter]

~BD~ wrote:
> Mike Easter wrote:
>> ~BD~ wrote:
>>
>>> The latest TDL-4 version of the rootkit,
>>
>> The problems are/ start with/ detection.

> The problem, surely, is knowing why one *should* look for a problem
> in the first place!

Absolutely.

This is not a trivial problem.


And your newsreader is not making proper quote marks. Please correct
your problem.

--
Mike Easter

[Bullwinkle.]

LOL You should practice what you preach.



"Mike Easter" <MikeE@ster.invalid> wrote in message
news:972n69Fte5U2@mid.individual.net...
~. Please correct
your problem.

Mike Easter

[Dustin]

~BD~ <~BD~@nomail.afraid.com> wrote in
news:iuh7me$rvc$1@dont-email.me:

> The problem, surely, is knowing why one *should* look for a problem
> in the first place! If all appears quite /normal/ to a computer user
> ...!!!

I'm not an average computer user. You're tilting at windmills, again.


--
(Hey) I keep on thinking that it's
(Hey) all done and all over now (whoa)
You keep on thinking you can save me save me
(Hey) My ship is sinking but it's
(Hey) all good and I can go down (whoa)
You've got me thinking that the party's all over

[FromTheRafters]

"~BD~" <~BD~@nomail.afraid.com> wrote in message
news:iuh7me$rvc$1@dont-email.me...
> Mike Easter wrote:
>> a.p.s only - no daft x-post to unrelated groups like a BD troll.
>
> Adding an additional 34 readers is hardly trolling!
>
> alt.politics.scorched-earth alt.politics.scorched-earth@googlegroups.com
> Language: English
> 34 subscribers, Messages per month: 4267, Usenet
>
> http://groups.google.com/groups/dir?...ched-earth%2C&
>
> >
> > ~BD~ wrote:
> >
> >> The latest TDL-4 version of the rootkit,
> >
> > The problems are/ start with/ detection. If you can detect a boot sector
> > problem/condition, then you have to 'get rid of' - zero or perhaps
> > replace - the boot sector which is followed by creation of a new boot
> > sector and operating system.
>
> The problem, surely, is knowing why one *should* look for a problem in the
> first place! If all appears quite /normal/ to a computer user ...!!!

That's true, but what's your point? Are you paving the way to slimey
innuendo, or are you actually asking about detecting or identifying
a rootkit?

You're probably not going to find such a rootkit unless you suspect one is
present, or you routinely check the startup axis code. The thing is, a rootkit
will likely be hiding something else, and that something else *does something*,
more than likely using networking. When network activity is noticed, and an
investigation is conducted, it will be noticed that tools on the computer doing
the nefarious communicating are not giving a complete picture. It is *that*
that will cause one to suspect a rootkit.

Detection can be a behavioral thing, but identification requires more. Once
you suspect it is there, you inspect it from a clean environment to identify
it and possibly repair/replace affected areas.

If a certain paranoid fantasy about otherwise legitimate security software
(antivirus/antimalware) installing rootkits were actually true, said rootkits
would be discovered in short order by the behavior (activity) the programs
that they hide engage in.

[Aardvark]

On Fri, 01 Jul 2011 06:40:55 -0400, FromTheRafters wrote:

> If a certain paranoid fantasy about otherwise legitimate security
> software (antivirus/antimalware) installing rootkits were actually true,
> said rootkits would be discovered in short order by the behavior
> (activity) the programs that they hide engage in.

Yeah, but where would be the trolling fun for BD in accepting that fact?



--
"Those who do not make human beings the center of their concern soon
lose the capacity to make any ethical choices, for they willingly
sacrifice others in the name of the politically expedient and
practical." - Dwight Macdonald, “The Root Is Man.”

[FromTheRafters]

"Aardvark" <aardvark@youllnever.know> wrote in message
news:ZhjPp.27447$J65.1301@newsfe14.ams2...
> On Fri, 01 Jul 2011 06:40:55 -0400, FromTheRafters wrote:
>
>> If a certain paranoid fantasy about otherwise legitimate security
>> software (antivirus/antimalware) installing rootkits were actually true,
>> said rootkits would be discovered in short order by the behavior
>> (activity) the programs that they hide engage in.
>
> Yeah, but where would be the trolling fun for BD in accepting that fact?

Surely he wouldn't let a little logic cloud his vision.

[~BD~]

FromTheRafters wrote:
> "~BD~"<~BD~@nomail.afraid.com> wrote in message
> news:iuh7me$rvc$1@dont-email.me...
>> Mike Easter wrote:
>>> a.p.s only - no daft x-post to unrelated groups like a BD troll.
>>
>> Adding an additional 34 readers is hardly trolling!
>>
>> alt.politics.scorched-earth alt.politics.scorched-earth@googlegroups.com
>> Language: English
>> 34 subscribers, Messages per month: 4267, Usenet
>>
>> http://groups.google.com/groups/dir?...ched-earth%2C&
>>
>>>
>>> ~BD~ wrote:
>>>
>>>> The latest TDL-4 version of the rootkit,
>>>
>>> The problems are/ start with/ detection. If you can detect a boot sector
>>> problem/condition, then you have to 'get rid of' - zero or perhaps
>>> replace - the boot sector which is followed by creation of a new boot
>>> sector and operating system.
>>
>> The problem, surely, is knowing why one *should* look for a problem in the
>> first place! If all appears quite /normal/ to a computer user ...!!!
>
> That's true, but what's your point? Are you paving the way to slimey
> innuendo, or are you actually asking about detecting or identifying
> a rootkit?

The latter.

> You're probably not going to find such a rootkit unless you suspect one is
> present, or you routinely check the startup axis code. The thing is, a rootkit
> will likely be hiding something else, and that something else *does something*,
> more than likely using networking. When network activity is noticed, and an
> investigation is conducted, it will be noticed that tools on the computer doing
> the nefarious communicating are not giving a complete picture. It is *that*
> that will cause one to suspect a rootkit.

I suggest that the /average/ computer user would *not* notice any such
network activity whilst his/her computer is carrying out the tasks
demanded of it. (email, surfing etc)

> Detection can be a behavioral thing, but identification requires more. Once
> you suspect it is there, you inspect it from a clean environment to identify
> it and possibly repair/replace affected areas.

I agree.

> If a certain paranoid fantasy (Edit: are you *sure?!!!) about otherwise legitimate security software
> (antivirus/antimalware) installing rootkits were actually true, said rootkits
> would be discovered in short order by the behavior (activity) the programs
> that they hide engage in.

Would you please expand on that premise?

Who, exactly, will be looking for any unusual behaviour (activity)?

Dave