Ping: Dustin Cook - How would *you* find this rootkit?

~BD~ · 06-30-2011, 01:08 AM

One of the world's stealthiest pieces of malware infected more than 4.5
million PCs in just three months, making it possible for its authors to
force keyloggers, adware, and other malicious programs on the
compromised machines at any time.

'Indestructible' rootkit enslaves 4.5m PCs in 3 months

The TDSS rootkit burst on the scene in 2008 and quickly earned the
begrudging respect of security experts for its long list of highly
advanced features. It is virtually undetectable by antivirus software,
and its use of low-level instructions makes it extremely hard for
researchers to conduct reconnaissance on it. A built-in encryption
scheme prevents network monitoring tools from intercepting
communications sent between control servers and infected machines.

The latest TDL-4 version of the rootkit, which is used as a persistent
backdoor to install other types of malware, infected 4.52 million
machines in the first three months of this year, according to a detailed
technical analysis published Wednesday by antivirus firm Kaspersky Lab.

Additional changes include a new antivirus feature that rids
TDSS-infected machines of 20 rival malware titles, including ZeuS, Gbot,
and Optima. It also blacklists the addresses of command and control
servers used by these competing programs to prevent them from working
properly.

Like the Popureb trojan and the Torpig botnet (aka Sinowal and Anserin),
it also infects the master boot record of a compromised PC's hard drive,
ensuring that malware is running even before Windows is loaded.

Ref: http://www.theregister.co.uk/2011/06...reon_advances/

--
Dave - I find the bit about riding infected machines of rival malware
rather interesting. That's what I suggested a malware /cleaning/ product
might do! How would one ever know it had happened?!!

Mike Easter · 06-30-2011, 01:33 AM

a.p.s only - no daft x-post to unrelated groups like a BD troll.

~BD~ wrote:

> The latest TDL-4 version of the rootkit,

The problems are/ start with/ detection. If you can detect a boot sector
problem/condition, then you have to 'get rid of' - zero or perhaps
replace - the boot sector which is followed by creation of a new boot
sector and operating system.

--
Mike Easter

~BD~ · 06-30-2011, 02:12 AM

Mike Easter wrote:
> a.p.s only - no daft x-post to unrelated groups like a BD troll.

Adding an additional 34 readers is hardly trolling!

alt.politics.scorched-earth alt.politics.scorched-earth@googlegroups.com
Language: English
34 subscribers, Messages per month: 4267, Usenet

http://groups.google.com/groups/dir?...ched-earth%2C&

>
> ~BD~ wrote:
>
>> The latest TDL-4 version of the rootkit,
>
> The problems are/ start with/ detection. If you can detect a boot sector
> problem/condition, then you have to 'get rid of' - zero or perhaps
> replace - the boot sector which is followed by creation of a new boot
> sector and operating system.

The problem, surely, is knowing why one *should* look for a problem in
the first place! If all appears quite /normal/ to a computer user ...!!!

Mike Easter · 06-30-2011, 02:33 AM

~BD~ wrote:
> Mike Easter wrote:
>> ~BD~ wrote:
>>
>>> The latest TDL-4 version of the rootkit,
>>
>> The problems are/ start with/ detection.

> The problem, surely, is knowing why one *should* look for a problem
> in the first place!

Absolutely.

This is not a trivial problem.

And your newsreader is not making proper quote marks. Please correct
your problem.

--
Mike Easter

Bullwinkle. · 06-30-2011, 04:13 AM

LOL You should practice what you preach.

"Mike Easter" <MikeE@ster.invalid> wrote in message
news:972n69Fte5U2@mid.individual.net...
~. Please correct
your problem.

Mike Easter

~BD~ · 06-30-2011, 07:12 AM

David H. Lipman wrote:
> From: "Mike Easter"<MikeE@ster.invalid>
>
>> a.p.s only - no daft x-post to unrelated groups like a BD troll.
>>
>> ~BD~ wrote:
>>
>>> The latest TDL-4 version of the rootkit,
>>
>> The problems are/ start with/ detection. If you can detect a boot sector
>> problem/condition, then you have to 'get rid of' - zero or perhaps replace - the boot
>> sector which is followed by creation of a new boot sector and operating system.
>>
>
> What the author calls TDL-4 is actually the TDSS RootKit Level 4 or TDL4.
> There are multiple ways this RootKit manifests istelf and injecting itself into the MBR is
> but one methodology.

How do you suggest that one might become aware of its presence?

> There are multiple ways that it can be detected as well.

What methods of detection are available, Mr Lipman?

G. Morgan · 06-30-2011, 10:53 AM

~BD~ wrote:

>
>How do you suggest that one might become aware of its presence?
>
>> There are multiple ways that it can be detected as well.
>
>What methods of detection are available, Mr Lipman?

http://support.kaspersky.com/viruses...?qid=208280684

Max Wachtel · 06-30-2011, 11:51 AM

On 06/30/2011 07:38 AM, David H. Lipman wrote:

> However he has shown he has the ability to piss on himself thus negating the need for
> outside assistance.
>
>
lol

David H. Lipman · 06-30-2011, 01:42 PM

From: "G. Morgan" <G_Morgan@easy.com>

> ~BD~ wrote:
>
>> How do you suggest that one might become aware of its presence?
>>
>>> There are multiple ways that it can be detected as well.
>>
>> What methods of detection are available, Mr Lipman?
>
> http://support.kaspersky.com/viruses...?qid=208280684

http://www.securelist.com/en/analysi...0/TDL4_Top_Bot

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

Dustin · 06-30-2011, 03:17 PM

~BD~ <~BD~@nomail.afraid.com> wrote in
news:iuh3tu$9ln$1@dont-email.me:

> One of the world's stealthiest pieces of malware infected more than
> 4.5 million PCs in just three months, making it possible for its
> authors to force keyloggers, adware, and other malicious programs on
> the compromised machines at any time.

Via the method I already provided Morgan. It's software, despite the
news media claims, it still has to follow the same rules any other
bootstrap module would. What makes it difficult to remove tho, is the
key system file patching. It consists of mbr modification (fixable),
..sys file (you won't find it easily while the machine is running an
infected OS), and various support dlls patched. (those may not be
possible to just fix due to bugs in the patching routines in the
rootkit. IE: he kills them sometimes).

If you can find usable backups of the critical dll files, and verify
they are still as they should be via digital signature check, you could
restore the mbr to known clean status, remove the bad .sys file (it's
going to have an odd name when you see it), and then replace the bad
dlls (they will all fail digital signature check when the infected os
isn't running).

> 'Indestructible' rootkit enslaves 4.5m PCs in 3 months

Only for people like you.

> The TDSS rootkit burst on the scene in 2008 and quickly earned the
> begrudging respect of security experts for its long list of highly
> advanced features. It is virtually undetectable by antivirus

What security experts? Why no specific names? Newsflash, the
"advanced" features are *all* well known tricks of the Vx trade. I'm
familiar with *all* of them and have written POC code for them as well.
What you think is "rootkit" I still think of as stealth. The game
hasn't changed.

> software, and its use of low-level instructions makes it extremely
> hard for researchers to conduct reconnaissance on it. A built-in
> encryption scheme prevents network monitoring tools from
> intercepting communications sent between control servers and
> infected machines.

While the comms itself is encrypted, you can still see the source IP,
destination IP and image file responsible for it. Encrypted comms from
an app you aren't familiar with is still going to stick out like a sore
thumb.

> The latest TDL-4 version of the rootkit, which is used as a
> persistent backdoor to install other types of malware, infected 4.52
> million machines in the first three months of this year, according
> to a detailed technical analysis published Wednesday by antivirus
> firm Kaspersky Lab.

I've already seen.. mebbe.. 10-12 machines with this new rootkit. It's
no more of a pain than it's predecessors. Well, unless you can't find
suitable dlls to replace, then you will be reinstalling windows.
If the authors of the rootkit had properly infected the dlls, it could
be reversed and so a reinstall wouldn't be necessary; but they didn't.

> Like the Popureb trojan and the Torpig botnet (aka Sinowal and
> Anserin), it also infects the master boot record of a compromised
> PC's hard drive, ensuring that malware is running even before
> Windows is loaded.

Not very difficult to deal with, either.

> Dave - I find the bit about riding infected machines of rival
> malware rather interesting. That's what I suggested a malware
> /cleaning/ product might do! How would one ever know it had
> happened?!!

It's all old news. Some viruses would disinfect your machine from
competing viruses if they were present. A legitimate malware cleaning
product wouldn't do what you suggest, and I will be transferring your
rl details over to malwarebytes so they may have recourse for legal
action for your comments. Your slimeball days are a bit limited. People
who wish to be able to discuss legal issues with you will soon be able
to do so, in person, over the phone or via snail mail.

--
(Hey) I keep on thinking that it's
(Hey) all done and all over now (whoa)
You keep on thinking you can save me save me
(Hey) My ship is sinking but it's
(Hey) all good and I can go down (whoa)
You've got me thinking that the party's all over

Thread: Ping: Dustin Cook - How would you find this rootkit?

Thread Tools

Display