Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Ch10: Remote Access Trojans and Zombie Networks

TDL4

TDL4, also known as TDSS, is considered to be one of more advanced malware types, not counting malware like Stuxnet, Flame, Gauss and others that are believed to have been created for cyberespionage purposes. It has several versions but the most well covered in press in version 4. 

As this is a pretty complex malware it probably will not survive change of Windows version (for example from Windows 7 to 8) or significant patches like Windows service pack.  But technologies used will survive.

Hysteria in popular press was both funny and disgusting as if this was the end of the world.

TDL4 includes book virus part that infects the hard disk drive's Master Boot Record (MBR), much like DOS book viruses did. There is nothing new in this idea as it originated in first DOS Boot viruses. The interesting part is this code integrates with Windows code. It is unclear as Windows XP and Windows 7 are much more sophisticated systems then DOS and most probably there is no access to NTFS from boot virus part (it is just too small to have a driver and it is difficult to cut a part of harddrive to install it in some outer tracks.

But from description of previous (BackDoor.Tdss.565_(aka TDL3)  you can guess that this is an effort of a well financed organization so they probably have a couple of nasty tricks in their sleeves.   Debugging software of this level of complexity is a very challenging task that requires significant resources.

I think that for the same reason (overcomplexity) Windows part detection is not that difficult and has nothing to do with existence of a boot part -- rootkit or no rootkit.

After malware detected the game is simple: reinstallation of the OS or reinstallation of "trusted" backup from bootable media ( see Softpanorama Malware Defense Strategy ). Any of those two methods will wipe it out.

For more information see


Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

[Oct 03, 2012] Sorry, but the TDL botnet is not 'indestructible' Malware by Roger A. Grimes

June 30, 2011 | www.infoworld.com

Malware and alarmism over its proliferation are nothing new -- and the latest boot-sector rootkit will be cured soon enough

The sophistication of the TDL rootkit and the global expanse of its botnet have many observers worried about the antimalware industry's ability to respond. Clearly, the TDL malware family is designed to be difficult to detect and remove. Several respected security researchers have gone so far as to say that the TDL botnet, composed of millions of TDL-infected PCs, is "practically indestructible."

As a 24-year veteran of the malware wars, I can safely tell you that no threat has appeared that the antimalware industry and OS vendors did not successfully respond to. It may take months or years to kill off something, but eventually the good guys get it right.

This isn't the first time we're supposed to be scared of MBR (master boot record)-infecting malware. In 1987, well before the days of the Internet, the Stoned boot virus infected millions of PCs around the world. Subsequent "improvements" in hacking allowed malware authors to create DOS viruses that could manipulate the operating system to hide themselves from prying eyes. (Actually, the first IBM PC virus, Pakistani Brain did this in 1986, too.) Computer viruses became encrypted and polymorphic, and they started taking data hostage.

With each ratcheting iteration of new malware offense, you had analysts and doomsayers predicting this or that particular malware program would be difficult to impossible to defend against. But each time the antimalware industry and other software vendors responded to defang the latest threat. Yesterday's indestructible virus became tomorrow's historical footnote.

Even today's malware masterpiece, Stuxnet -- as perfect as it is for its intended military job -- could be neutralized if it became superpopular. Luckily, military-grade worms are few and far between, so most users don't have to suffer while waiting for defenses to be developed.

The truth is, like every other malware family variant, TDL and its botnet will probably be around for years to exploit millions of additional PCs. But it didn't take an advanced superbot to do that. Take a look at any monthly WildList tally. It always contains malware programs written years ago.

Today, almost every malware program lives in perpetuity, dying off only when the exploited program or process dies with it. Boot viruses from the 1980s and 1990s didn't stop being a threat until floppy disks and disk drives went away. Macro viruses didn't die until people stopped writing macros and Microsoft Office disabled automacros by default.

No, what really bothers me more are the malware programs that do something completely new because it takes so much longer for antimalware programs, software vendors, and users to adapt to the tactic. For instance, it took us years to teach folks not to open every file attachment to defeat email viruses and worms -- but it takes the bad guys only a few minutes to change strategies. Today, we need to tell folks not to click on the Internet link emailed to them by a trusted friend and not to install random applications sent to them in Facebook or through their mobile phone.

But our biggest threat is an MBR PC-infector? Been there, done that.

This article, "Sorry, but the TDL botnet is not 'indestructible'," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.

[Oct 03, 2012] Elusive TDL4 malware variant infected Fortune 500 companies, gov't agencies by Lucian Constantin

While information on DGA is interesting, "researchers from security vendor Damballa" like any "security vendor researchers" are far from being the most trustworthy folk in such cases. They usually promote FUD in the interests of their companies and are as close to PR scum as one can get.
September 18, 2012 | Computerworld

Researchers from security vendor Damballa have identified malicious Internet traffic that they believe is generated by a new and elusive variant of the sophisticated TDL4 malware.

The new threat, which has been assigned the generic name DGAv14 until its true nature is clarified, has affected at least 250,000 unique victims so far, including 46 of the Fortune 500 companies, several government agencies and ISPs, the Damballa researchers said in a research paper released Monday.

On July 8, Damballa sensors that operate on the networks of telecommunication operators and ISPs that partnered with the company detected a new pattern of DNS (Domain Name System) requests for non-existent domains. Such traffic suggests the presence on the network of computers infected with malware that uses a domain generation algorithm (DGA),

Some malware creators use DGAs in order to evade network-level domain blacklists and to make their command and control infrastructure more resilient against takedown attempts.

DGAs generate a number of random-looking domain names at predefined time intervals for the malware to connect to. Because the attackers know which domain names their algorithm will generate and access at a future point in time, they can register some of them in advance and use them to issue commands to infected computers.

Even if those domains are later shut down, the overall operation is not affected because the malware will generate and use different domain names in the future.

In collaboration with researchers from the Georgia Tech Information Security Center (GTISC), the Damballa researchers registered some of the domain names the new threat was attempting to access and monitored the traffic it sent to them.

This type of action is known as sinkholing and, in this case, it revealed that the new malware is part of a click-fraud operation that involves rogue advertisements being injected into various websites including facebook.com, doubleclick.net, youtube.com, yahoo.com, msn.com and google.com when opened on infected computers,

An analysis of other domain names registered by the attackers themselves and the networks where they hosted those domains revealed similarities to the command and control infrastructure used by the gang behind the TDL4 malware family.

TDL4, also known as TDSS, is considered to be one of the most sophisticated malware threats ever created and used by cybercriminals -- without counting threats like Stuxnet, Flame, Gauss and others that are believed to have been created by nation states for cyberespionage purposes.

TDL4 is part of a category of malware known as bootkits -- boot rootkits -- because it infects the hard disk drive's Master Boot Record (MBR), the sector that contains information about a disk's partition table and the file systems. The code that resides in the MBR is executed before the OS actually starts.

[Oct 03, 2012] More in Cybercrime & Hacking

I like this "practically indestructible" scam propagated by Golovanov serving in a role of a frontman for Kaspersky FUD operation. In reality we see technologies that were developed for DOS viruses are now reincarnated for Windows XP -- Windows 7 world (Windows 8 PC has hardware protection against boot viruses). What is so indestructible about boot viruses. Evgeni Kaspersky started his career with destructing them :-).
Computerworld

A new and improved botnet that has infected more than four million PCs is "practically indestructible," security researchers say.

"TDL-4," the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is "the most sophisticated threat today," said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis Monday.

"[TDL-4] is practically indestructible," Golovanov said.

Others agree.

"I wouldn't say it's perfectly indestructible, but it is pretty much indestructible," said Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, in an interview today. "It does a very good job of maintaining itself."

Golovanov and Stewart based their judgments on a variety of TDL-4's traits, all which make it an extremely tough character to detect, delete, suppress or eradicate.

For one thing, said Golovanov, TDL-4 infects the MBR, or master boot record, of the PC with a rootkit -- malware that hides by subverting the operating system. The master boot record is the first sector -- sector 0 -- of the hard drive, where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks.

Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code.

But that's not TDL-4's secret weapon.

What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.

"The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet," said Roel Schouwenberg, senior malware researcher at Kaspersky, in an email reply Tuesday to follow-up questions. "The TDL guys are doing their utmost not to become the next gang to lose their botnet."

Schouwenberg cited several high-profile botnet take-downs -- which have ranged from a coordinated effort that crippled Conficker last year to 2011's FBI-led take-down of Coreflood -- as the motivation for hackers to develop new ways to keep their armies of hijacked PCs in the field.

"Each time a botnet gets taken down it raises the bar for the next time," noted Schouwenberg. "The truly professional cyber criminals are watching and working on their botnets to make them more resilient against takedowns or takeovers."

TDL-4's makers created their own encryption algorithm, Kaspersky's Golovanov said in his analysis, and the botnet uses the domain names of the C&C servers as the encryption keys.

The botnet also uses the public Kad P2P network for one of its two channels for communicating between infected PCs and the C&C servers, said Kaspersky. Previously, botnets that communicated via P2P used a closed network they had created.



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: May, 08, 2017