Print 48 comment(s) - last by damage75.. on Jul 12 at 5:53 AM

Microsoft blasted recent claims that the new TDL-4 botnet was indestructible. No botnet is impervious to decapitating C&C takedowns and a concerted attack, it states.  (Source: Google Images)
Company points to takedown of "indestructible" Rustock, Waledac as case studies in how to kill a tough botnet

Today, networks of malware infected computers called "botnets" are controlled by malicious masters to spread spam and orchestrate takedown attacks across the internet.  The botnets are growing very, very well crafted, leading some to suggest that they may be "indestructible".

In response to one such claim by Dell Inc. (DELL) SecureWorks research Joe Stewart, who said that the TDL-4 botnet was "pretty much indestructible", the senior attorney with Microsoft Corp.'s (MSFT) Digital Crime Unit argued that claim is false and that any botnet is destructible.

Richard Boscovich comments in an interview with ComputerWorld, "If someone says that a botnet is indestructible, they are not being very creative legally or technically. To say that it can't be done underestimates the ability of the good guys. People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.'"

TDL-4 will certainly be a tough.  The malware has infected 4.5 million PCs thus far, and embeds a rootkit deep in the hard drive, in the master boot record.  The malware removes other pieces of malware found on the machine to avoid detection.  And it uses peer-to-peer connections to update its list of command and control (C&C) servers, safeguarding the botnet from takedown of C&C servers.

However, Microsoft takes major issue with the idea that TDL-4 is indestructible.  After all, Microsoft already killed a botnet called "Waledac" that used similar peer-to-peer updates.  Waledac, known for sending up to 1.5 billion pieces of spam daily, was decapitated in February 2010 when a court order allowed Microsoft to cut off 276 domains associated with the botnet.  

Microsoft also used additional undisclosed measures (perhaps denial of service attacks) to make sure the peer-to-peer network was fully dead and unable to update the C&C information.

In March, with help from Microsoft, federal agents raided a hosting company, seizing servers responsible for the Rustock botnet.  With the botnet brains decapitated, the botnet effectively died, taking half of spam in the U.S. with it.  And in April Microsoft and federal authorities successfully killed the 10-year-old "Coreflood" botnet via a similar C&C decapitation approach.

Mr. Boscovich comments, "[Waledac] was a proof of concept that showed we are able to poison the peer-to-peer table of a botnet. Each takedown is different, each one is complicated in its own way. Each one is going to be different, but that doesn't mean that there cannot be a way to do this with any botnet."

Symantec security researcher Sergey Golovanod says the botnet is "practically indestructible."  He remarks, "[TDL-4 is] the most sophisticated threat today."

However, even Dell backed off somewhat from their initial remarks, with a SecureWorks spokesperson saying this week, "Since mid-March 2011, Dell SecureWorks' CTU [Counter Threat Unit] research team has seen a significant decline in the number of attempted Rustock attacks, and we do attribute it to the comprehensive efforts of Microsoft."

Indeed Alex Lanstein, a senior engineer with FireEye, a security organization who worked with Microsoft on the takedowns says cooperation between Microsoft, other companies, and U.S. law enforcement agencies has proved integral to creating combined assaults capable of bringing down tough botnets.  He states, "It's the trust relationships Microsoft has created and I think [the technique] speaks to any malware infrastructure where some kind of data feed exists. It really, really works. With the Rustock takedown, Microsoft has built the framework for others to do the same. This is definitely not the last botnet we're going to go after."

So, TDL-4 may be tough -- but "indestructible"?  Not so much.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

I wonder
By bug77 on 7/10/2011 2:27:44 PM , Rating: 2
It it needs to connect through P2P, can it be mitigated by a simple firewall?

PS Ouch, not Sonya!

RE: I wonder
By kingmotley on 7/10/2011 3:36:28 PM , Rating: 3

RE: I wonder
By DanNeely on 7/11/2011 12:09:06 AM , Rating: 2
TDL-4 piggybacks on an existing p2p network, precluding cutting it off without also killing much larger amounts of non-botnet traffic.

RE: I wonder
By bug77 on 7/11/2011 3:45:00 AM , Rating: 2

RE: I wonder
By AntiM on 7/11/2011 10:31:06 AM , Rating: 2
I wonder if simply running a /fixmbr command will remove the rootkit. Assuming you think you're infected. Even if you're not, it won't hurt anything.

RE: I wonder
By bug77 on 7/11/2011 10:50:31 AM , Rating: 4
It will if there's a GRUB over there ;)

However, I'd be surprised that, given its elevated privileges, the virus won't write itself into the new MBR.

RE: I wonder
By damage75 on 7/12/2011 5:53:53 AM , Rating: 2
TDL-4 is still evolving, but TDSSkiller is the most effective fix I've seen. Fixmbr can be used, but it's fairly complicated and you still have to deal with the invisible filesystem, registry issues and infected files (there are also reports of bricked systems after running fixmbr).

The bigger problem is how to stop it "without" the client computer being patched. Not sure if keeping MS security updates current prevents the initial infection or not (anyone know?), but it's p2p capability is of concern.

Fixing the issue on systems left dusty is so very much harder, thus the Waledac technic. I did learn the hard-coded IP's in TDL-4 are for a single subset of the threat (which puts me back to worrying about C&C cycling). It's great reading the research on this disturbingly advanced malware. Kudos to MS for trying to find a way to crush it, 4+ million computers are running it right now. It's enough to make me think a "forced" patch might be acceptable in some cases...

By icanhascpu on 7/10/2011 2:32:18 PM , Rating: 2
Something about a hydra...

By sdfdsfsdfs on 7/11/2011 7:58:04 PM , Rating: 2

I tide fashion Good-looking, not expensive Free transport

By weiwei1 on 7/11/2011 9:16:25 PM , Rating: 2
Free transport

By weiwei1 on 7/11/2011 9:16:27 PM , Rating: 2
Free transport

Attorney bashing other company
By Gondor on 7/11/2011 3:30:12 AM , Rating: 1
That attorney should get back to whatever he does for a living. Computer security specialists aren't telling him how to do his job and I'm pretty sure they made their assessment to the best of their abilities. Ergo I'm more inclined to trust them when it comes to matters of security than some lawyer.

If he knows how to take that botnet down he's free to do so and we'll all be happy should he succeed.

botnets lol
By Argon18 on 7/10/11, Rating: -1
RE: botnets lol
By SilthDraeth on 7/10/2011 3:00:08 PM , Rating: 5
Calling other OS's impervious is just as ignorant as calling anything indestructible.

RE: botnets lol
By B3an on 7/10/2011 3:02:10 PM , Rating: 2
LOL they're not impervious, especially in the case of OSX which is the least secure OS of all three. These people just dont bother with botnets for these OS's as the market share is so low, but i can see it happening to OSX if it keeps gaining market. Linux will never go anywhere though.

RE: botnets lol
By macdevdude on 7/10/11, Rating: -1
RE: botnets lol
By Warwulf on 7/10/2011 3:34:19 PM , Rating: 5
The truth is no one bothers with OS X because hardly anybody uses it. What are they going to do, write a virus/botnet/worm that targets 10% of PCs running OS X?


RE: botnets lol
By Reclaimer77 on 7/10/2011 10:01:40 PM , Rating: 5
10%? I think you're being too generous.

RE: botnets lol
By rudolphna on 7/10/2011 3:53:31 PM , Rating: 5
You're name says it all.

Dude, stfu or gtfo. Those security conferences are evidence enough. You know, the "Hack a computer, win a computer" competitions. Windows, Linux machins take hours, days sometimes. Macs? A few minutes, every time.

Apple is the most insecure platform of them all. Again, the reason that they don't bother writing that many viruses and go through the work of creating a botnet for mac users, is because there are so few macs out there, relatively speaking, compared to Windows, that there is no real benefit in doing so. Mac users should be proud, they are basically considered too inconsequential and irrelevant to deal with.

RE: botnets lol
By themaster08 on 7/10/2011 5:17:21 PM , Rating: 5
If the OS was so insecure, why wouldn't malware writers just write really quick and easy programs to steal Apple owners' credit cards?? Oh right, because you're just making stuff up.
Sure, it's called MacDefender.

RE: botnets lol
By Flunk on 7/10/2011 9:21:41 PM , Rating: 3
"single-user mindset"? You're thinking of Windows 9X. NT (which was a total rewrite of the OS) was always designed as a multi-user, graphical OS.

RE: botnets lol
By tecknurd on 7/10/2011 11:32:54 PM , Rating: 2
OS X/Linux were built on the multi-user security-minded world of Unix. Windows, by contrast, was originally built with a single-user mindset, thus why the platform is inherently less secure.

Yes, Mac OS X and GNU/Linux is built with a multi-user security minded world, but these operating systems used for desktops are setup differently. Ubuntu for example, sets up root with a random password and ask the normal user for their password when doing administrating tasks. Is this secure? Not exactly. The root is used when it is absolutely necessary, but asking a user's password for everything that root does is not any secure than Windows. Ubuntu uses sudo for substituting a user for root privileges, but it is supposed to be used for certain users and not all users.

Mac OS X is the same as Ubuntu.

For everybody's information, botnets can run any operating system. Botnet creators just attacks Windows because it is easy to tamper and yes it is majority OS.

RE: botnets lol
By spacemonkey211 on 7/11/2011 12:08:27 PM , Rating: 2
Actually Ubuntu locks out root with no password and then requires a password to access root. Since it doesn't have one, root is effectively blocked from direct access.

Sudo is used to elevate your status to root using your own password. To use sudo you need root access to change it's config to give you access. The initial "admin" user is given total sudo control.

Root is only as secure as the sudo users passwords are in Ubuntu and without root access you are limited to your home folder and maybe /tmp.

RE: botnets lol
By hillsurfer on 7/11/2011 1:20:49 AM , Rating: 2
Unix was originally designed for sharing information, not for keeping it secure. It's evolved a lot since, but it's not impervious, just a waste of time for anyone wanting millions of computers for a botnet. If you managed to convince the world that every computer should have a unix-based OS, and everyone on the planet did such, then every botnet would run on a unix-based OS.

So, by promoting unix/osx/linux, if everyone takes your advice (which is unlikely), you're making the world a safer place for unix/osx/linux botnets.

RE: botnets lol
By icanhascpu on 7/10/11, Rating: -1
RE: botnets lol
By StevoLincolnite on 7/10/2011 3:07:01 PM , Rating: 2
Linux, OSX, and all the other unix-like OS's win again, for being impervious to these botnet viruses. Have fun Microsofties!

Bad Troll, go to your room!

And for the record... Anything made by Man is prone to fail eventually.

RE: botnets lol
By phazers on 7/10/2011 3:08:48 PM , Rating: 5
Linux, OSX, and all the other unix-like OS's win again, for being impervious to these botnet viruses.


First Mac OS X botnet activated
By Mark Hattersley,
April 17, 2009 01:10 PM ET

The first botnet created with Mac computers running OS X software has been activated, according to reports filtering out across the Internet...

Occurs to me that certain smug putz's could stand to get out of their basement more often, seeing as how this news is over 2 yrs old now..

RE: botnets lol
By PrinceGaz on 7/10/2011 4:51:18 PM , Rating: 3
Exactly. Steve Jobs is my lord and saviour because He keeps me safe every day from these evil botnets infecting Windows computers. I love iDevices and would possibly bow down in prayer towards Cupertino every day if there was an app on the AppStore which provided the correct direction to bow down in.

RE: botnets lol
By jamesjwb on 7/10/2011 5:56:57 PM , Rating: 5
the correct pray position is South of Jobs belly button.

RE: botnets lol
By Tim Thorpe on 7/10/2011 6:20:13 PM , Rating: 3
Its crowded down here!

RE: botnets lol
By MrPerez on 7/10/11, Rating: -1
RE: botnets lol
By Etsp on 7/11/2011 1:05:38 AM , Rating: 2
How is Linux less secure? I mean, specific examples. What metric are you using to make that judgement? Number of security patches? Number of vulnerabilities? Everything I've read that a well configured Linux computer is one of the most secure computing platforms.

RE: botnets lol
By themaster08 on 7/11/2011 2:48:07 AM , Rating: 3
Everything I've read that a well configured Linux computer is one of the most secure computing platforms.
As is a well configured Windows computer. We've all seen what happens to Windows machines that are not kept updated and are abused. As we've seen hackers such as LulzSec take down many, many Unix-based servers that have been ill maintained. Being a multi-user OS didn't save them from LulzSec. Windows is also multi-user. Those poor Macheads just can't find their way out of the 1998. The world remains the same while OS X advances.

Do you really think that every Windows user keeps their system up-to-date with the latest security patches and anti-virus definitions?

The amount of PCs, even in enterprise, that I've worked on, repaired, removed viruses from, and disposed of that are running Windows XP Service Pack 2 or less, with out-of-date virus definitions from 5 anti-virus vendors at the same time is absurd.

Do you know what the average person does when they see an update show up in their notification area? They ignore it. That is the start for many of the problems that Windows users experience. Because they're simply too lazy to click a button that says Update.

RE: botnets lol
By spacemonkey211 on 7/11/2011 12:02:50 PM , Rating: 4
Hate to burst your bubble, but more of the internet is run on GNU/Linux computers. So it is a HUGE target. Linux is very secure... and is constantly under attack.

RE: botnets lol
By Gurthang on 7/11/2011 8:14:32 AM , Rating: 2
Rootkiting botnets move through networks like real human viruses. The trick is to find a vulunrability that can be exploited, exploit the crap out of it with your new code until someone notices and fixes it or creats defenses against it to get enough systems infected to make it worth the time you spent creating the botnet.

The reason there are fewer Linux/OSX botnets has little to do with system security and everything to do with economics. Basically there are too many variations and too few systems using Linux/OSX around to make an attack that will work long enough to make a worthwhile botnet. You live in the 5% and below saftey net similar to typical real vaccination programs so long as 95+% of the population is "immune" via vaccination the remaining population that cannot be vaccinated is "fairly" safe from infection because the herd protects you. In this case your popultation is so sparse and diverse passing the infection on becomes difficult and thus not worth the time.

As to iOS/Android/WP7 time will tell, the way data is metered on cell phones makes it easier to spot unusual activity. I doubt attacks will move beyond annoyance type attacks and data theft type attacks there.

RE: botnets lol
By Nutzo on 7/11/2011 12:30:16 PM , Rating: 2
Typical clueless Apple user.

The small increase in Apple’s market share hasn’t been enough to make them a target. However, it is getting more difficult for these hackers to infect Windows systems due to the increasing market share of the more secure Windows 7.

The end result is that OSX is increasingly becoming a target (See the recent stories about Mac Defender)
The real problem is that Apple (and especially the typical Mac user) is not prepared to handle any type of major virus outbreak. It’s going to be fun to watch the chaos.

By tangtangtan on 7/11/11, Rating: -1
By cacacan on 7/10/11, Rating: -1
Oy veh!
By damage75 on 7/11/11, Rating: -1
RE: Oy veh!
By damage75 on 7/11/11, Rating: 0
RE: Oy veh!
By Fireshade on 7/11/2011 8:50:22 AM , Rating: 2
Well, a law itself won't help of course. Enforcement and reach is the strength of a law.
What a law can do, is giving 'bot fighters' free reign in methods used to kill a botnet. Which can stretch pretty far, if so allowed. In analogy, I guess the USA PATRIOT Act is a good example of giving free reign to the government to counter ehm.. pretty much anything.

Also, that lawyer (or anyone else for that matter) did not say it's easy to take down a botnet. He said that they can be taken down. They're not "indestructable" as others put it.

RE: Oy veh!
By ajcarroll on 7/11/2011 9:26:02 AM , Rating: 5
Actually the law plays a huge role here. Microsoft deserves kudos for taking the lead in shutting down Waledac. It not only involved considerable heavy hitting technical skills on their part, but it also involved them leveraging a rarely used legal maneuver, an Ex Parte Temporary Restraining Order - which basically gave them the legal right to take action without notifying the other party. Typically if someone takes legal action against you, you are notified. What made the legal side of the Waledac takedown novel was the Ex Parte TPO - basically Microsoft got a court order to simultaneously seize over 250 domains - they did this in conjunction with some serious technical effort.

They get a lot of credit for this in the security community. I think the comments their lawyer made that are referenced in the article are actually fair and reasonable - it's not a case of some ill-informed mouthpiece.

Only time will tell whether the manage to shutdown TDL-4 - but they are very well regarded in the security community for what they're pulled off recently, and yes it does indeed combine legal with with technical stuff - ie. they get very specific and detailed court order, that allows them to attach a botnet and seize domain names.

RE: Oy veh!
By aromero78 on 7/11/2011 9:31:53 AM , Rating: 2
Me thinks he doth protest to much!

RE: Oy veh!
By damage75 on 7/11/2011 9:56:02 AM , Rating: 2
Possibly protesting too much - yes. I suppose if MS had the legal right to just shut off any and all domains they cared to - that would dent the virus. My point is that TDL-4 has shown some interesting twists and it would not surprise me to find it uniquely cycling C&C domains. That would mean, regardless of MS's authority, they would not be able to snuff it as they did with Waledac (where the C&C's were essentially hard-coded).

Now if they could get every user to perform an update - no problem, but there is the "rub" as they say...

RE: Oy veh!
By damage75 on 7/11/2011 10:29:50 AM , Rating: 2
Ah ha! The TDL-4 writers may not be so smart after all.

From Roland Dela Paz (Threat Response Engineer) at TrendMicro -
"Interestingly enough, I noticed that the malicious URLs and IP addresses from which WORM_OTURUN.ASH downloads BKDR_TDSS.ASH are hard-coded into the worm’s code."

If that remains the case, then MS could use the Waledac tactic and we're good to go. I hope that this continues to be true.

RE: Oy veh!
By Mitch101 on 7/11/2011 12:24:11 PM , Rating: 4
I wouldnt be surprised if Symantec says these things to try and scare everyone into buying thier Anti-Virus/Anti-Malware products and I take anything Symantec has to say with a grain of salt thier products have been going downhill for ages. Wanna rebuild your machine just uninstall a symantec product and youll be forced to rebuild it. No other products Ive used have destroyed more machines than Symantec.

By asfsdfvsdf on 7/10/11, Rating: -1
By ninainaidbuxing on 7/11/11, Rating: -1
"And boy have we patented it!" -- Steve Jobs, Macworld 2007

Most Popular Articles5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Automaker Porsche may expand range of Panamera Coupe design.
September 18, 2016, 11:00 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
No More Turtlenecks - Try Snakables
September 19, 2016, 7:44 AM
ADHD Diagnosis and Treatment in Children: Problem or Paranoia?
September 19, 2016, 5:30 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki