Print 79 comment(s) - last by EricMartello.. on Jul 6 at 10:48 PM

TDL-4 detects and disables other malware to hide itself

Over the last year, there have been a number of high profile takedowns of botnets. These takedowns lead to a significant reduction in the amount of spam that computer users see in their inbox.

Security researchers are talking about a new botnet called TDL-4 and they say that it is virtually indestructible. The designers of the botnet used some ingenious methods to ensure that their net isn't as easy to take offline as previous botnets.

Security researcher Sergey Golovanod from Kapersky Labs said in a report on the TDL-4 botnet, "[TDL-4 is] the most sophisticated threat today." Joe Stewart is a malware researcher at Dell SecureWorks, he said, "I wouldn't say it's [TDL-4] perfectly indestructible, but it is pretty much indestructible. It does a very good job of maintaining itself."

There are several factors that work together to make TDL-4 so robust. One of the factors is that the malware infects the master boot record of the computers HDD it resides on. This is the first sector of the hard drive read when a computer starts and the malware rootkit is installed there. That makes the rootkit invisible to security software and the OS.

The thing that makes the botnet even more robust is the method that it uses to communicate with infected computers from the command and control servers. The TDL-4 botnet uses a public peer-to-peer network called the Kad P2P network for one of the two channels it uses to communicate between infected machines and the C&C servers.

Kapersky researcher Roek Schouwenberg wrote in an email to Computerworld, "The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet. The TDL guys are doing their utmost not to become the next gang to lose their botnet."

The hackers behind the botnet also use their own encryption algorithm and use the domain names of the C&C servers as the encryption keys. The use of a public network is the key to the robust botnet and helps ensure the TDL-4 network remains online.

Schouwenberg said, "Any attempt to take down the regular C&Cs can effectively be circumvented by the TDL group by updating the list of C&Cs through the P2P network. The fact that TDL has two separate channels for communications will make any take-down very, very tough."

So far, the TDL-4 botnet is very effective with an estimated 4.5 million Windows computers currently infected. Stewart said, "The 4.5 million is not surprising at all. It [TDL-4] might not have as high an infection rate as other botnets, but its longevity means that as long as they can keep infecting computers and the discovery rate is small, they'll keep growing it."

Another key to the longevity of the TDL-4 malware is the fact that it finds and disables other malware on the computer. This is done because the less likely the user is to know of any infection on their computer, the less likely they are to investigate further and potentially discover the TDL-4 malware on the machine.

Golovanov said, "TDL-4 doesn't delete itself following installation of other malware. At any time [it] can ... delete malware it has downloaded."

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Invisible?
By Smilin on 6/30/2011 2:00:16 PM , Rating: 5
Agreed. How can a program executed from an OS be written to a place "invisible" to the os? If the MBR was some mysterious "invisible" place to the OS, then it could not be written to in the first place. It may be the first place that is read from, but the OS definitely has visibility to it.

This is not entirely correct. If you insert filter drivers (lower or upper as appropriate) into necessary I/O stacks you can intercept calls and change them. In this case inserting a filter driver into the disk driver would allow you to intercept any read attempt at sector 0 and redirect it to a sector of your choosing that has a copy of the original sector.

That's just one method and may or may not be what they are doing here. Making it completely bullet proof would be (nearly) impossible but you could easily intercept most methods.

The same thing can be done with the registry and even display. I've found viruses before that cause explorer to simply not list certain filenames. Rename a file to one of these names and it disappears. Since there are often multiple paths to the "evidence" you can still get to the infection. In this case launching the cmd prompt from taskmanager's 'run' will let cmd.exe run outside the explorer.exe process.

RE: Invisible?
By tastyratz on 6/30/2011 2:21:12 PM , Rating: 4
Exactly what I was going to say you beat me to it. The mbr is not visible if you are essentially emulating a clean mbr for every scanner. It is very easy to infect a windows machine with a virus that ends up transparent to windows itself even outside of the mbr if you hijack host processes. There are numerous virii that can not truly be scanned for and deleted without booting from a bartpe/ubcd disc or another partition.

RE: Invisible?
By Smilin on 6/30/11, Rating: 0
RE: Invisible?
By bah12 on 7/1/2011 9:56:47 AM , Rating: 2
My point was that if this was invisible to the OS (and thus anything running within the OS), then why is there a GUI tool already available that can see it and remove it. Invisible means, can't be seen. I'd expect the removal process to involve getting out of the OS if it were truly "invisible". Clearly the tool can see it, so the OS could as well, doesn't mean it does just that it could.

This paragraph read to me that the virus was hard if not impossible to remove. That simply is not the case.

RE: Invisible?
By Smilin on 7/1/2011 10:50:32 AM , Rating: 2
I explained this in my post above.

There are many ways to see masked rootkits and the good ones will prevent most of these. Hiding from antivirus is really easy once an infection is in place. Hiding from a tool dedicated to finding that particular malware would be difficult if not impossible.

For example (again): Stick a lowerfilter driver in to map sector 0 reads to another sector. You're screwed... nothing reading from the disk driver would be able to see the real sector. BUT..someone could always stick yet another filter driver under the first.

Impossible to remove? No. It's just going to take a bit more capability than is built into antivirus by default. A "cleaning tool" would be necessary (until the AV is updated).

Mind you, removing a rootkit from a machine is not the same thing as removing a botnet from the 'net. This particular one can't be disabled en-mass like some in the past.

RE: Invisible?
By ekv on 7/4/2011 2:37:38 AM , Rating: 2
This particular one can't be disabled en-mass like some in the past.
However, that gives me an idea. I shall require vast sums of research money in order to capture the botnet in toto.

And so it goes. Interesting game of cat-and-mouse, and I damn well intend to keep my computer clean. 8)

"Folks that want porn can buy an Android phone." -- Steve Jobs

Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki