Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Massive Botnet "Indestructible," Say Researchers

samzenpus posted about 3 years ago | from the +1-or-better-update-to-hit dept.

Botnet 583

CWmike writes "A new and improved botnet that has infected more than four million PCs is 'practically indestructible,' security researchers say. TDL-4, the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is 'the most sophisticated threat today,' said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis on Monday. Others agree. 'I wouldn't say it's perfectly indestructible, but it is pretty much indestructible,' Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, told Computerworld on Wednesday. 'It does a very good job of maintaining itself.' Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code. But that's not TDL-4's secret weapon. What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers. 'The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet,' said Roel Schouwenberg, senior malware researcher at Kaspersky. 'The TDL guys are doing their utmost not to become the next gang to lose their botnet.'"

cancel ×

583 comments

Take 'em offline (3, Insightful)

jnpcl (1929302) | about 3 years ago | (#36617644)

Yeah, it'll piss off every Grandma and Grandpa with an infected computer, but really.. the best way to deal with these massive botnets is to have the ISPs disable those accounts and contact the owners.

Re:Take 'em offline (5, Insightful)

Shikaku (1129753) | about 3 years ago | (#36617688)

From TFS:

What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.

So what's the difference between this botnet data, an SSL connection to a bank, or an encrypted email/file?

The answer is you can't tell, and neither can the ISP.

"What about the volume?" Encrypted Bittorrent.

Re:Take 'em offline (1)

vux984 (928602) | about 3 years ago | (#36617702)

So what's the difference between this botnet data, an SSL connection to a bank, or an encrypted email/file?

Well there must be some way to sniff them out or the researchers wouldn't know it existed or have any idea that millions of machines were infected....

Re:Take 'em offline (5, Informative)

realityimpaired (1668397) | about 3 years ago | (#36617802)

Netcat, and watching for traffic from a system that you know for a fact isn't sending that kind of traffic.

Without your ISP installing some kind of spyware on your computer to determine if you have torrent or other p2p software installed, they have no way of knowing whether that encrypted p2p traffic coming from your system is a virus, or you trying to download a movie. And as for them determining how many systems are infected? That same netcat... once they know the traffic is there, it is fairly easy to find the source of the traffic, and then to analyse said source. Once they find a way into the network, it's fairly trivial to estimate how many clients are connected to it. Taking over the network is another animal entirely, but figuring out how many are connected to it is relatively easy.

Re:Take 'em offline (4, Informative)

vux984 (928602) | about 3 years ago | (#36617936)

I'm with you on the use of netcat etc.

I assume they build honey pot systems, setup with shit security, programmed to randomly surf the web and click on everything that it finds... and then take it offline into a lab and see what there is to see.

it's fairly trivial to estimate how many clients are connected to it.

That gives you the LAN but that doesn't tell you how many infected systems there are worldwide.

To shut it down by the way, once the virus is reverse engineered enough, one can deploy honeypot systems designed to impersonate legit infected machines, and wait for C&C commands to get passed to it via peers.

Due to it being p2p that won't get you the C&C servers... but it does give you lists of peers that represent infected systems, many of which probably are on the ISP running the honeypot that the ISP could take offline... a few coop agreements, and ISPs could swap lists of infected systems from eachothers networks easily enough as well.

Re:Take 'em offline (1)

gumbi west (610122) | about 3 years ago | (#36618106)

Yeah, I'll bet your honeypot system would be squeaky clean, plus just this program. Digging this out from all the other crap on the machine would take months.

Re:Take 'em offline (1)

spydum (828400) | about 3 years ago | (#36617806)

DNS traffic from the client may still be used to identify infected hosts -- but it is certainly less simple than it used to be.

Re:Take 'em offline (1)

shentino (1139071) | about 3 years ago | (#36618026)

Well, spewing spam should be a strong clue.

Dynamic IPs shouldn't be allowed to send outbound email directly anyhow.

Re:Take 'em offline (1)

AvitarX (172628) | about 3 years ago | (#36618186)

Heaven forbid I use an smtp server that's not my isp

Re:Take 'em offline (1)

gatkinso (15975) | about 3 years ago | (#36618170)

It is possible to fingerprint encrypted traffic, even if you can't decrypt it.

But you asked about differences: destination, port, rate, traffic volume. To name a few.

Re:Take 'em offline (2, Insightful)

Joe U (443617) | about 3 years ago | (#36617696)

The only long term solution is to infect the infected with something that low level formats their HDD.

That will stop the problem.

It's amazingly illegal though, so it's not happening anytime soon.

Re:Take 'em offline (3, Funny)

interkin3tic (1469267) | about 3 years ago | (#36618074)

The only long term solution is to infect the infected with something that low level formats their HDD.

That's not true, there are plenty of long term solutions. We got -plenty- of nukes.

Re:Take 'em offline (-1)

Anonymous Coward | about 3 years ago | (#36618172)

Fuck you retard

Re:Take 'em offline (1)

Anonymous Coward | about 3 years ago | (#36618252)

not really, idiots will reinstall and still be insecure, you have to start trashing data and connected accounts

delete all messages and contacts and change password on any webmail account.
send out pornography and racist email on any VPN or outlook web access accounts accessed, but not in a high volume that would be obviously spam, replace one or two randomly selected outgoing emails with a collection of racist and misogynist jokes then delete from sent messages
if any online shopping is detected track credentials then start randomly wandering the same sites buying shit, again in low enough quantities to not be obviously automated
reflash and brick USB connected smart devices which are recognized as being vulnerable to such mischief.

sector by sector encrypt the entire hard drive then trash the keys at some point, only run before and after read/write operations to not be suspicious
any data that looks like tax info or medical info automatically uploaded to upstanding and trustworthy places, like 4chan

any info on connected VPNs that looks like corporate data (collections of word documents, 3D models, source code, accounting records, etc, sent to 4chan and wikileaks
any data that looks like contact lists or address books gets uploaded to trustworthy places

use the chatroulette genital algorithm to scan images and videos being brought on to the machine from sources that are likely to be capture devices, webcams, media cards, etc. anything that hits gets sent to every email and facebook contact


as long as the consequences for getting infected do not ruin peoples lives they will continue to not care

Re:Take 'em offline (2)

geekmux (1040042) | about 3 years ago | (#36617710)

Yeah, it'll piss off every Grandma and Grandpa with an infected computer, but really.. the best way to deal with these massive botnets is to have the ISPs disable those accounts and contact the owners.

Asking ISPs to stand in the firing line of legal liability? Uh...yeah. You'll stand a better chance in hell with a snowcone machine.

And that answer isn't very easy when you're talking AT&T or Verizon cutting off entire hosted corporations.

Re:Take 'em offline (2)

garcia (6573) | about 3 years ago | (#36617732)

geek, ATTBI (back in the 2001/2002 days) took infected computers off their network by disabling their cfg files. There's no legal liability there.

Re:Take 'em offline (4, Interesting)

the_bard17 (626642) | about 3 years ago | (#36617826)

Just throw a clause in the Terms and Conditions that states the subscriber is required to maintain an outgoing connection free of malware. Otherwise, the ISP gets to redirect all traffic to a "Hey, you're infected!" page for the duration.

The first time the subscriber calls in to say it's rectified, remove the redirection and monitor it. The second time, be nice and request some proof. The third time, require a faxed copy of a receipt/invoice/statement from a third party verifying that all the connected in the residence are clean and all wireless networks are encrypted securely. Rinse, lather, repeat.

It seems the T&C is being used as a catch all for all the other shady business telecom's are pushing down our tubes... may as well as use it for a bit of good, too.

Re:Take 'em offline (3, Insightful)

geekmux (1040042) | about 3 years ago | (#36617962)

Just throw a clause in the Terms and Conditions that states the subscriber is required to maintain an outgoing connection free of malware. Otherwise, the ISP gets to redirect all traffic to a "Hey, you're infected!" page for the duration.

And as this particular one operates, good luck discerning a valid encrypted connection from a invalid/infected one.

The first time the subscriber calls in to say it's rectified, remove the redirection and monitor it. The second time, be nice and request some proof. The third time, require a faxed copy of a receipt/invoice/statement from a third party verifying that all the connected in the residence are clean and all wireless networks are encrypted securely. Rinse, lather, repeat.

Wow, faxed copy? What's next, a notarized statement and sworn testimony? After that, it'll be a race to see which falls faster; your customer base or your stock price.

Re:Take 'em offline (3, Insightful)

farseeker (2134818) | about 3 years ago | (#36618234)

The third time, require a faxed copy of a receipt/invoice/statement from a third party

Yeah, because I still live in 1998 and work at a law firm, and thus have access to a fax machine

Re:Take 'em offline (2)

countertrolling (1585477) | about 3 years ago | (#36617982)

Asking ISPs to stand in the firing line of legal liability?

Not a problem.. The government can grant them immunity, like it did for the unwarranted wiretaps..

Re:Take 'em offline (0)

asdbffg (1902686) | about 3 years ago | (#36617872)

Yeah, it'll piss off every Grandma and Grandpa with an infected computer, but really.. the best way to deal with these massive botnets is to have the ISPs disable those accounts and contact the owners.

Yeah, it'll piss off every person who has ever lost their wallet or been a victim of identity theft, but really... the best way to deal with this massive identity theft problem is to freeze these peoples' bank accounts and explain to them that the unauthorized transactions on their credit cards have been directly funding thieves and terrorists.

Yeah, it'll piss off every person who wants to go outside, but really... the best way to deal with this massive crime problem is to have four cameras on every street corner so we can keep track of what everyone is up to at all times.

Yeah, it'll piss off every Muslim with a friend of a friend who's linked to a terror group, but really... the best way to deal with this massive terrorism problem is to detain these people for years in secret prisons and question them using enhanced interrogation techniques.

Yeah, it'll piss off every person who's ever smoked a joint, but really... the best way to deal with this massive drug violence problem is to arrest the buyers and throw them in prison for the rest of their lives.

Re:Take 'em offline (1)

mug funky (910186) | about 3 years ago | (#36618018)

not sure if this is a slippery slope here.

we're talking ISPs, not governments.

if they spin things right, or if the problem is big enough, they could include a nominal surcharge for sending round one of their guys to scrape the malware off their clients machines. then they save a ton of bandwidth, stop the botnets, and actually end up with happy customers (with computers that work somewhat better).

i think there's money to be made for the first ISP that tries this.

Re:Take 'em offline (2)

LordLimecat (1103839) | about 3 years ago | (#36618044)

What an awful comparison. The people with infected computers are responsible for their computers, and it is their computers that are doing damage via spam etc. Disabling their accounts and requesting followup is in no way similar to:
*throwing someone in prison
*interrogating them
*implementing a police state
*freezing bank accounts

Its perfectly reasonable, if a PC is causing damage to a network, to remove that PC from the network. Schools do it, business offices do it, and Im sure government offices do it. That ISP has no obligation to cooperate with a botnet.

Lawsuit (1)

kylemonger (686302) | about 3 years ago | (#36617646)

Some operating system vendor is going to have to be sued for damages and lose before this ever stops.

Re:Lawsuit (1)

AvitarX (172628) | about 3 years ago | (#36617726)

I hope not.

If os's need to be locked down like ios to avoid liability we're fucked in the long run (the fact that it's described as a trojan implies to me it's a stupid user issue).

Linux will always have forks that give users control, even if the main branch removes this, in your hypothetical world, does that make it the least secure vs the other toal lockdown systems, and therefore all the developers liable?

Re:Lawsuit (1)

lymond01 (314120) | about 3 years ago | (#36617858)

I'm guessing there are still 4 million XP machines with default Administrator accounts and no password. Microsoft has done a much better job with default user security starting with Vista and improving in Windows 7. Even if you're silly enough to run as admin, as long as you don't turn off UAC, you're a million times better off than running Windows XP as admin.

Re:Lawsuit (1)

kylemonger (686302) | about 3 years ago | (#36617904)

Out in the non-software world, if you operate a machine that damages someone else's property, you're liable. If you were operating the machine properly and it malfunctioned, causing the damage then the manufacturer or whoever serviced the machine last is probably liable. Right now, when PCs wreak havoc there's no proximate party to go after. Until that changes, there's no strong incentive to fix the problem at the root.

The OS doesn't need to be locked down like iOS, but if you're gong to hold the user liable, you need to give them some way of installing software that doesn't give that software the full power of the PC. That is, some way to properly operate the device that limits the damage it can cause. As an example, something that purports to be a game doesn't need to be able to send packets to every IP address on the Internet. Once the OS vendor gives the user a way to properly operate a PC, then the liability can be shifted to the user. Until then, the liability should rest on the OS vendor.

Re:Lawsuit (0)

Anonymous Coward | about 3 years ago | (#36618132)

In the physical world it wasn't so long ago that cars didn't have keys, airbags, antilock brakes, etc. It wasnt the manufacturers liability for accidents with those older cars as the generally accepted state of car tech didn't include those components. Even now if you drive a 1952 Ford the company that originally sold it isn't responsible. The analogy - MS will be responsible only for the most up to date OS they ship to be on par with most other commercially available OS's. No, they don't have to build an Edsel (look up one of the safe car designs in the past and see where they ended up - on the junk heap).

The difference now - someone else ganged up a few million machines and has them accessing the public byways with malicious intent. The obvious solution- safety inspection and certification for all nodes with corresponding loss of anonymity just as we've done for automobiles. Trivial for MS and Apple to implement.

The key question - will their be room for hobbyist OS's as the required brrier of safety testing, certification, liability and identity tracking?

Re:Lawsuit (3, Informative)

Homr Zodyssey (905161) | about 3 years ago | (#36618208)

Time for a car analogy.

If someone hot-wires my car, and then rams it into a police station, then I'm not liable. The car manufacturer is not liable. The police are not liable. As a matter of fact, its not even my fault if I left the doors unlocked and the engine running. The person responsible is the bastard that stole it and did the damage.

These viruses and botnets are not spontaneous. They are not random acts of nature. They happen because of bad guys doing bad things. We should all take reasonable precautions, but we shouldn't be held liable for their actions.

Re:Lawsuit (1)

scubamage (727538) | about 3 years ago | (#36617970)

the fact that it's described as a trojan implies to me it's a stupid user issue.

I had a trojan issue once. Now I have a kid. Trojans are stupid.

Indestructible? (1)

__Paul__ (1570) | about 3 years ago | (#36617652)

Just wait for the next massive solar storm [wikipedia.org] ...

Invisible? (4, Insightful)

blair1q (305137) | about 3 years ago | (#36617698)

Putting the thing in the MBR just means you can't intercept it during boot.

It doesn't for a second mean it's invisible.

Re:Invisible? (3, Insightful)

vux984 (928602) | about 3 years ago | (#36617776)

It can become pretty well invisible to the infected host system though.

A bootable CD or flash drive should take care of things, but that's a bit of a hassle, since a bootable disc needs to be up to date to detect the latest threats... or perhaps the way to go on this is to checksum the existing known good mbr and then validate it from time to time offline against the checksum.

Speaking of which... what are people recommending for actually dealing with this sort of stuff...?

Re:Invisible? (2)

korgitser (1809018) | about 3 years ago | (#36617812)

Speaking of which... what are people recommending for actually dealing with this sort of stuff...?

Isn't it obvious? The next version of Kaspersky of course!

Re:Invisible? (5, Informative)

schwit1 (797399) | about 3 years ago | (#36617822)

http://download.bitdefender.com/rescue_cd/ [bitdefender.com]
http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk10/ [kaspersky-labs.com]

Both of these update from the internet after booting up.

Thank you. (-1, Redundant)

Futurepower(R) (558542) | about 3 years ago | (#36618110)

MOD PARENT UP!!

Re:Invisible? (4, Informative)

Z34107 (925136) | about 3 years ago | (#36617918)

The safest way is nuke it from orbit - boot from your Windows install disk, do a "diskpart clean" to nuke the MBR, and reinstall.

The easiest way is to just trust that your favorite brand of virus scanner will eventually take care of it.

Expert mode is make an image of the machine using ImageX, mount it on another PC, clean the virus from the image, and reapply it to the infected computer (after nuking the MBR.)

For lesser threats, MalwareBytes will take care of most anything, although I usually run ComboFix and HijackThis first.

Protip: If you're running a modern version of Windows, you don't need a special boot CD. Vista/7 disks boot to a full WinPE environment which will give you a command prompt (press Shift+F10 or wade through the menu), let you repartition your disk (diskpart), write a new boot sector (bootsect), and mount network shares (net use x: \\computer\share). Any install disk can also install and activate any other version of Windows (you can borrow a friend's Home Premium disk to reinstall Ultimate or whatever).

If you're still rocking XP, the install disk is next to worthless, so go grab a Live CD if you have to do anything interesting.

Re:Invisible? (3, Interesting)

Spikeles (972972) | about 3 years ago | (#36618064)

TDSSKiller [kaspersky.com]

Re:Invisible? (0)

Anonymous Coward | about 3 years ago | (#36617796)

Read the article. It explains that is not what makes it invisible and that isn't the type of invisible they are talking about. It is just hard to detect the systems in the botnet.

Re:Invisible? (1)

scubamage (727538) | about 3 years ago | (#36617954)

fdisk /fixmbr should fix it, no?

Re:Invisible? (1)

the eric conspiracy (20178) | about 3 years ago | (#36618080)

Depends on whose fdisk you are using.

Modified MBR Detection? (2, Interesting)

Anonymous Coward | about 3 years ago | (#36617700)

Man, can't they detect a modified MBR nowadays? I even had mainboards which detected a modified MBR upon boot. So where's the problem?

Re:Modified MBR Detection? (1)

Voyager529 (1363959) | about 3 years ago | (#36618188)

As long as there isn't a recovery partition (or even if there is, most of the time), boot from an OS install disk, go to repair mode, then type 'fixboot' and 'fixmbr'. you're now have a stock MBR.

Re:Modified MBR Detection? (0)

Anonymous Coward | about 3 years ago | (#36618220)

The problem with this is that most people disable the MBR protection in order to install (or re-install) the OS and forget to turn it back on, or leave it off so they won't have to deal with it next time.

This is user error - sort of like changing the tires on your car but leaving the lug nuts off so it's easier to remove the tires next time.

Indestructible? (5, Funny)

CokeBear (16811) | about 3 years ago | (#36617716)

Sounds like a challenge...

Re:Indestructible? (0)

Anonymous Coward | about 3 years ago | (#36617986)

Not behind my "100,000 megavolt forcefield" here (0)

Anonymous Coward | about 3 years ago | (#36618008)

Because all of its known sources are "blocked out" here, either by:

---

1.) NORTON DNS (& it's DNSBL vs. all forms of "malware-in-general")

---

2.) My custom HOSTS file which is currently as of this writing in its tempfile prior to commission back to the HOSTS file itself, @ 1,459,566++ blocked known bad sites strong, & more for speed (adbanners blocked)...

(AND, it updates every 15 minutes now from 17 different reliable sources for HOSTS file data, DNSBL's I convert, & also trackers of various botnets out there online, yes, including THIS one too(earlier variants & current build).

---

3.) System Security Hardening:

http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE [bing.com]

(Which includes the "std. antivirus/antispyware/firewall toolsets in use, but also a HELL OF A LOT MORE like conscientious patching/updating the OS & apps, group & local security policies work, using javascript (the "harbinger of DOOM" @ times) judiciously/sparingly, etc./et al)

---

* Nice part about the "heart of it" in the HOSTS file + Norton DNS is that even IF I were to 'suck in' this beastie? As soon as they get its C&C servers, I get them... every 1/4 hour, & it won't be able to "talk back to HQ"...

(AND, Despite all the "hype" of "not being able to see its transmissions" due to encryption? An ISP/BSP can see it, & that's where the info. will come from, eventually - & every encryption, even QUANTUM lately, can be broken OR eavesdropped on... just a matter of TIME! Hey, if wind & water can blow down mountains, right?)

So, "that all said & aside", well... IF they're smart about it? They'll update their DNSBL's too (effectively blocking communications "back to HQ" for this thing!)

APK

P.S.=> Besides, there isn't a botnet (or even ROOTKIT) I can't deal with effectively for removal anyhow - & I don't use the same tools others do...

Well, @ first I do, & when those fail? Out come the "big guns" in Process Explorer & Recovery Console - & there's nothing I can't "dust" between them...

... apk

Put it THIS way (I wrote how 2 destroy it already) (0)

Anonymous Coward | about 3 years ago | (#36618058)

http://tech.slashdot.org/comments.pl?sid=2275150&cid=36593272 [slashdot.org]

When news of this thing came out, or one MUCH like it rather (using "blended-threat" rootkit technology, in utilizing not only bootsector spawn & control, but also a filtering driver/hooking driver to protect itself @ the bootsector level?) - What's up there CAN & WILL get rid of it...

APK

P.S. => Even the guys researching it are saying what I am pretty much:

PERTINENT QUOTE/EXCERPT FROM SOURCE ARTICLE

---

"I wouldn't say it's perfectly indestructible, but it is pretty much indestructible," said Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, in an interview today. "It does a very good job of maintaining itself."

---

And, there you go... look in my link above? That'll do it, no system restore/reset/reinstall required... Yes, I am THAT sure it works, I've faced rootkits like this before (I am sure others here have as well & used similar tactics too).

It's just a matter of KNOWING how it works, & once you understand a thing? You can control, or destroy, it!

Simple - you just have to know how it operates, & what to do vs. it with tools out there for it (not std. tools, so I opt to go against rootkits using Process Explorer, FIRST, in usermode/RPL3/Ring 3 operation, & if that fails? Out comes Windows Recovery Console - blow the driver loading, & then reset the bootsector... it'll work!)

... apk

It runs on windows? (1)

gmuslera (3436) | about 3 years ago | (#36617730)

Just wait till it faces blue kriptonite

What I want to know is ... (2, Funny)

DrJimbo (594231) | about 3 years ago | (#36617748)

Does it run Linux?

Re:What I want to know is ... (0)

DaMattster (977781) | about 3 years ago | (#36617764)

The article states that Windows PCs are vulnerable to this botnet. I think it is a safe guess that BSD and Linux machines are, as per the usual, safe.

Re:What I want to know is ... (0, Insightful)

Anonymous Coward | about 3 years ago | (#36617912)

"per the usual", eh? Cocky much?

Take a moment to cogitate on where the "root" in rootkit comes from.

Here's an idea (2)

MrEricSir (398214) | about 3 years ago | (#36617830)

What if someone wrote malware that would run a VM from the boot sector, and then ran your existing OS from the VM? That way it wouldn't matter what OS you used, it could still access your system in the background.

Re:Here's an idea (1)

DaMattster (977781) | about 3 years ago | (#36617886)

What if someone wrote malware that would run a VM from the boot sector, and then ran your existing OS from the VM? That way it wouldn't matter what OS you used, it could still access your system in the background.

It is still only feasible if the intruders can gain root access to the machine to install the botnet client and vm. I use OpenBSD and I can look at my logs and laugh at the number of failed intrusion attempts. A more secure OS certainly will prevent this.

Re:Here's an idea (2)

rtaylor (70602) | about 3 years ago | (#36617990)

Ahh, but can you detect the successful intrusions?

Most windows users can also look at their logs (assuming they keep such things) and view a large number of failed attempts. Of course, there are also a handful of successful ones.

Yes, I know OpenBSD is very secure, particular for root access; user accounts not so much if the user will run anything they download. More than half of OpenBSDs security is that security conscious people select that operating system.

Re:Here's an idea (0)

Anonymous Coward | about 3 years ago | (#36618070)

It is still only feasible if the intruders can gain root access to the machine to install the botnet client and vm. I use OpenBSD and I can look at my logs and laugh at the number of failed intrusion attempts. A more secure OS certainly will prevent this.

That's fantastic. Now install Gnome or KDE on that box and tell us how secure it is[n't].

Make something useful and it's a lot harder to secure.

would have to modify the grub binary and/or kernel (1)

decora (1710862) | about 3 years ago | (#36618246)

or something like that, because linux machines are constantly running grub to rewrite the bootsector

you could rewrite part of the kernel binary so that it would lie to grub i guess.

or you could rewrite the grub binary to lie to the user.

those two things are kind of non-trivial because linux is increidbly diverse.

now that i think of it, perhaps Windows becoming 'diverse' is a way to prevent some of this junk from happening.

mod 0p (-1)

Anonymous Coward | about 3 years ago | (#36617780)

Chinese Justice (1, Insightful)

msobkow (48369) | about 3 years ago | (#36617810)

Collect botnet creators. Apply one bullet to head. In public.

Repeat.

Nothing else will stop the leeches.

Re:Chinese Justice (1)

DrJimbo (594231) | about 3 years ago | (#36617860)

Or we could, you know, just use more secure operating systems.

Re:Chinese Justice (0)

Anonymous Coward | about 3 years ago | (#36617892)

Ok, then how does this sound...

Collect botnet infected users. Apply one bullet to head. In public.

Repeat.

Nothing else will stop the leeches.

Re:Chinese Justice (0)

Anonymous Coward | about 3 years ago | (#36617920)

Users will always circumvent the OS limits. One reason Windows is so vulnerable is that you've got so many technologically illiterate users. If you forced everyone to Linux, that's where the virii will go. Path of least resistance...

Re:Chinese Justice (1)

Rob the Bold (788862) | about 3 years ago | (#36617998)

Collect botnet creators. Apply one bullet to head. In public.

If you could "collect" the botnet creators, then you could solve the problem in any number of less messy ways, though. Even in a jurisdiction that placed serious limitations on violent public executions, if you arrested the creators you've made pretty major progress toward dismantling it.

Remember: there's nothing magical about ad hoc public capital punishment. (Did I just say there's no silver bullet?) Organized crime exists in countries of all judicial philosophies.

So, by all means, capture the miscreants. Or worm your way into their organization. Or whatever. If the botnet is technically impregnable, do what the criminals would do to gain access: social engineering, carrot and stick, threats, bait, plea bargains -- that sort of thing.

Re:Chinese Justice (0)

Anonymous Coward | about 3 years ago | (#36618054)

Collect botnet participants. Apply one bullet to head. In public.

That will teach them not to be so stupid!

Re:Chinese Justice (1)

ObsessiveMathsFreak (773371) | about 3 years ago | (#36618216)

That didn't work for General Tarkin and it won't work for this.

GPL Violators! Get em! (5, Funny)

Hatta (162192) | about 3 years ago | (#36617816)

# When developing the kad.dll module for maintaining communication with the Kad network, code with a GPL license was used â" this means that the authors are in violation of a licensing agreement.

Somehow I think that's the least of their concerns.

Re:GPL Violators! Get em! (4, Funny)

gumbi west (610122) | about 3 years ago | (#36618168)

Think of how they get Al Capone. Noting would make federal prosecutors more interested in the GPL than if they thought it was the best way to nail a bad guy.

BTW, I like the idea of malware coming with a GPL license agreement and link to the source code.

Is this (0)

Anonymous Coward | about 3 years ago | (#36617856)

the same botnet that's been recently terrorizing SMF forums all over the place?

general purpose computing is dead (1)

Anonymous Coward | about 3 years ago | (#36617880)

And this is why. People are completely unable to understanding anything about the operation of their computers.

No, Linux would not solve this. If magically tomorrow every single Windows box was Linux instead, socially-engineered malware would appear the next day.

Apple tries to protect the system from its own user. That's probably the way of the future in general, as as it is to say.

It seems MS could make this go away (1)

tkrotchko (124118) | about 3 years ago | (#36617884)

Microsoft knows their OS better than anyone. For anyone getting MS updates, it seems it would be a simple matter for Microsoft to identify these machines, disable the rootkit, and alert the user.

It would be a little bit of work for MS, but isn't this kind of service that you'd expect to get from a vendor that stands behind its products?

Re:It seems MS could make this go away (1)

scubamage (727538) | about 3 years ago | (#36617942)

It doesn't involve DRM, so I doubt they'll worry about it for at least another 9 months.

Re:It seems MS could make this go away (0)

Anonymous Coward | about 3 years ago | (#36618028)

Actually, it's a huge cost to microsoft as they have ot take phone calls for folks who are trying to reinstall Windows and failing the anti-piracy bullshit. The retards at the unix vendors are failing by not flooding the media with press releases about this "windows only botnet"

But how ? (1)

DrYak (748999) | about 3 years ago | (#36618010)

For anyone getting MS updates, it seems it would be a simple matter for Microsoft to identify these machines

But how ? The virus hides its first stage in the MBR and is launched *before* the OS. By the time windows has started the computer is *already* compromised, the virus is already running and can do all the trick it wants to hide it self from the running system, or to alter the software being run.

Re:It seems MS could make this go away (1)

Architect_sasyr (938685) | about 3 years ago | (#36618120)

The last thing I'd want to see is any company, at all, automatically fucking with my MBR just because it doesn't think it matches what they consider a standard MBR. If they can't do that then they can't remove the rest of the infection and the botnet guys can just upload a new one to circumvent the patch.

God (-1)

Anonymous Coward | about 3 years ago | (#36617902)

Umm... I think somebody's in denial on God's existance.

God says...
gross You_can_count_on_that shist epic_fail lust bickering
no_more_tears stoked I'm_in_suspense pwned King_Midas
I_was_just_thinking industrious wrath why_do_I_put_up_with_this
no_news_is_good_news That's_my_favorite yeah stoked you're_nuts
ahh don't_have_a_cow yep you're_nuts endeavor ghetto heads_I_win_tails_you_lose
really

Nothing new (2, Interesting)

Billly Gates (198444) | about 3 years ago | (#36617906)

In 2004 my cousin had malware that hid in the partition table and even a fresh format and windows reinstall could get rid of it. Only a good dos fdisk that deleted the table with a format and reinstallation. Today evil malware can hide in both the shadow volumes of restore points to reinstall themselves and avoid detection and also system recovery partitions so a fresh os reinstallation will reinstall the malware. Fun times

Re:Nothing new (1)

Anonymous Coward | about 3 years ago | (#36618130)

Let's not forget alternate data streams, I remember filling up an entire server hard drive with a huge text file that resided in the alternate data stream and nobody ever found it.

Comma abuse (0)

Anonymous Coward | about 3 years ago | (#36617930)

> Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code.

What's this "more, importantly, security software" nonsense? Was this narrated by William Shatner, or are these abused, runaway commas who needed a home?

I realize that's an unmarked quote from TFA, but I guess the editor over there is asleep right now.

Wow (1)

scubamage (727538) | about 3 years ago | (#36617934)

Technically speaking, that's pretty awesome. I know they're bad guys, but some props to them. They're geek bad guys, and they've done some fine work here.

Re:Wow (0)

Anonymous Coward | about 3 years ago | (#36618014)

Pretty awesome? Really? MBRs were the easiest place for viruses to write themselves back in MS-DOS days - not much has changed on the Windows front, except that there are so many new and exciting ways to infect the system that this is almost a sort of "retro chic" thing.

Only a matter of time ... (1)

tomhudson (43916) | about 3 years ago | (#36617946)

A new and improved botnet that has infected more than four million PCs is 'practically indestructible

... only until an 8 million PC botnet decides to "borg" the competition.

fuCk A doll (-1)

Anonymous Coward | about 3 years ago | (#36617948)

market share. Red in a head spinning ppor priorities, Lay down paper it transforms into eulogies to BSD's shitheads. *BSD it just 0wnz.',

Just use a UEFI mobo' (0)

Anonymous Coward | about 3 years ago | (#36617960)

Just make sure you buy a UEFI mobo, or then buy mac-tel hardware. [mac mini, etc etc etc] (comes with UEFI).
[Linux / Windoze / OsX - can all run on this hardware, but gives you an easy one stop shop for a daily use machine].

Given MebRoot/TDL/TDSS/etc etc are all thanks to the "original" work of eEye bootkit, we should really be thanking them for this one ..

But really hats off to the mighty M$, for thwarting any move out of bios for so long .. coreboot anyone ?

anyhow, Use/buy a UEFI enabled board, if you have a bios based mobo, look to see if theres the built in "virus protection", which used to be just a check to see if something was modifying the MBR. many dont have it any more.

Ps: fixmbr \Device\HardDisk0

Command and Control (3, Insightful)

Fractal Dice (696349) | about 3 years ago | (#36617966)

Isn't command and control the antithesis of indestructability? Any software that can be patched can be destroyed.

Re:Command and Control (0)

Anonymous Coward | about 3 years ago | (#36618088)

Isn't command and control the antithesis of indestructability? Any software that can be patched can be destroyed.

except when said patches require the digital signature to match

Re:Command and Control (4, Interesting)

pclminion (145572) | about 3 years ago | (#36618112)

You can sign the patches and make it impossible to inject update packets straight into the botnet. A more plausible line of attack would be to find a traditional security vulnerability and exploit it.

NSA has a botnet? (0)

Anonymous Coward | about 3 years ago | (#36617976)

That must of been a great meeting:

Q. How do we stop all these botnets?
A. We take them over with our own super botnet!!!

Johnson your a genius.

ohhhhh noooo (0)

Anonymous Coward | about 3 years ago | (#36618004)

....its the deamon!

No big deal (1)

countertrolling (1585477) | about 3 years ago | (#36618022)

The president and congress can just use the commerce clause in the constitution to force everybody to buy an officially approved operating system and anti virus program..

There, see? Problem solved

mod down (-1)

Anonymous Coward | about 3 years ago | (#36618032)

Decentralized# suuden and

Not impossible (4, Interesting)

Anonymous Coward | about 3 years ago | (#36618034)

I work at a computer repair shop.

We frequently encounter computers that are kitted up with boot and rootkits, TDL-4 included. Kaspersky's TDSS killer does a pretty good job of removing this stuff, and it's pretty easy to tell if the MBR as been modified. Just fire up a copy of GMER and you'll be able to tell pretty quickly. I see a lot of people posting stuff about having to wipe drives and start over from scratch. That is simply not necessary. The only reason TDL-4 is such a pain in the ass is because it is decentralized, only communicates with a handful of its infected counterparts at a time and modifies the MBR. Even then, it's not impossible to detect or even remove. Just gotta use the right tools...

Tro7l (-1)

Anonymous Coward | about 3 years ago | (#36618060)

I knew this was going to happen (4, Interesting)

Omnifarious (11933) | about 3 years ago | (#36618082)

Curious Yellow [blanu.net] was bound to happen sooner or later. I was wondering what was taking botnet authors so long, and why they were relying on a centralized system like DNS for coordinating their bots.

P2P is also its weakness (5, Interesting)

Dachannien (617929) | about 3 years ago | (#36618152)

The fact that the software maintains itself peer-to-peer is also its greatest weakness, because it allows any infected node to identify other infected nodes. So, you set up a number of honeypots and use those to identify infected machines. You then strongarm those machines' ISPs to disconnect their customers until they get their shit together.

Yes, the whole "strongarming the ISPs" thing is a flaw in the strategy since it hasn't really been successful to date, but I'm sure Microsoft can come up with a legal solution to that little hitch.

Re:P2P is also its weakness (0)

Anonymous Coward | about 3 years ago | (#36618248)

Not every infected machine needs to have *all* the other peers, just a few!
Nice odds? You have 10peers from config out of 4000000 , how many honeypots you need to setup to guarantee you got all the peers?

This is easy to take down (1)

drmofe (523606) | about 3 years ago | (#36618210)

All that law enforcement needs to do is to purchase payload delivery on the botnet and include commands to delete Windows from each offending PC. Alternatively, they just need to place copyrighted material on each host and send in the MPAA and RIAA with infringement notices. That should get the job done.

Detection and removal (5, Informative)

Zaphod-AVA (471116) | about 3 years ago | (#36618244)

When they say indestructible, they mean it's more difficult to steal control of the botnet, like they have done with several other hostile networked threats, not that it can't be detected and removed.

To detect it, run the latest version of GMER.
http://www.gmer.net/

To remove it, you need to run a series of three scanners in this order:
TDSSkiller
http://support.kaspersky.com/viruses/solutions?qid=208280684

Combofix
http://www.bleepingcomputer.com/download/anti-virus/combofix

and Malwarebytes' Antimalware
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;1

Note that TDL4 is often a blended threat, and has other secondary infections that can cause issues. One of the most common does search redirection that can make it hard to get to the tools to remove it. Most versions of that you can work around by clicking on the Google cache of the site with the tool instead of the link itself.

As for who to blame, most of the infections installed on people's machines were abusing exploits in Adobe Flash. Keeping up to date helps, but I started installing Flashblock on my client's systems because I was convinced there were unknown Flash exploits.

-Z

moD 0p (-1)

Anonymous Coward | about 3 years ago | (#36618254)

users. BSD/OS a child knows that the project hand...don't then disappeared many of us are forwards we must INTEREST IN HAVING Fear the reaper of prograaming to be about doing world. GNAA members told reporters, file was opened a8y parting shot, FreeBSD showed get how people can you are a screaming unpleasant recent article put on baby...don't Get tough. I hope [theos.com] on his may also want of a solid dose Creek, abysmal If *BSD is to arseholes at Walnut gone Romeo and fucking numbers, theorists -
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...