'Indestructible' rootkit rumours are greatly exaggerated! Stand down from high alert!

Filed Under: Botnet, Featured, Malware, Vulnerability

DON'T PANIC badgeLulzSec has sailed away - if not off the edge of the world, at least into a part of space and time from which it can no longer trigger scary headlines.

It seems we needed something to replace LulzSec, and it looks as though we've found it. The indestructible rootkit!

The rootkit in question is generally known as TDL-4, because it's the fourth major incarnation of the TDL, or TDSS, rootkit family.

So, what are rootkits, and why are they troublesome?

The term rootkit is a venerable one, going right back to the early years of cyber-break-and-enter and malware on UNIX. (You'd think Linux fanbuoys would accept the existence of malware on UNIX-type systems as a badge of historical honour, not as an inconvenient truth to be glossed over, then ignored, and finally denied.)

After you'd broken into someone's UNIX box and acquired administrative privileges, better known as getting root, you'd typically upload your favourite package of system modifications to help you disguise and maintain your illicit root shell for as long as possible.

For example, you might deploy modified ls and ps commands, so that file and process listings would have your files and processes removed. And you might fiddle with syslogd so that you could more easily cover your tracks.

And what else would you call your preferred toolkit for hanging on to root access but a rootkit?

On Windows, modern rootkits serve a similar purpose. Briefly put, a rootkit is a malware component which serves to hide the presence of other items of malware, and possibly also to hide itself. Another term used for this activity is stealth, so you'll sometimes hear rootkits called "stealth drivers", or "stealthers", and you'll hear the activities of rootkits called "stealthing". The harder a piece of malware is to find, and then to clean, the longer its lifespan is likely to be.

The TDL rootkit family is, indeed, one of the trickiest rootkits around. The crooks who wrote it are well aware of that: to the best of my knowledge, you can't buy the TDL source code to use with your own malware. It's closed source; proprietary; a trade secret. But you can lease time on a botnet which is built around a TDL rootkit. Think cloud. Think MaaS: Malware as a Service.

Hard driveRecent versions of TDL are particularly sneaky. Once installed, they don't need any files on your C: drive at all. They store their files in a secret, encrypted partition at the end of your hard disk, just outside the reach and visibility of Windows. They launch before Windows itself, using a trick from some of the oldest PC viruses in existence.

TDL loads from the MBR (Master Boot Record). The trick here is that the MBR loads before any OS (in fact, it's reponsible for bootstrapping the OS of your choice), and it loads when the computer is in 16-bit Real Mode. If you're old enough, think back to MS-DOS and the BIOS.

That means there is no memory protection and no inter-process security. Any piece of code can read and write anywhere in memory and on disk. So TDL is pretty much a miniature malware-oriented operating system. It messes with Windows memory even as the OS loads, injecting itself into Windows right from the very start. At that time, loosely put, there is no security at all.

Fascinating stuff. But is it indestructible? Is any malware truly indestructible?

Of course not.

Stop signThere's a fascinating part of the theory of computation known as the Halting Problem. Greatly oversimplified, it says that no computer program can guarantee, in finite time, to predict the behaviour of all other programs.

Cast into other clothes, the Halting Problem can be used to show that you can't write an anti-virus that will detect all possible viruses. You'll always need updates. But there's a neat corollary. You can never write a virus which will evade all possible anti-virus programs, either.

So none of the TDL-rootkit-based malware is indestructible.

Better yet, sensible security precautions can stop you getting infected in the first place. If you patch regularly, you're much less likely to suffer a drive-by malware install. If you don't run everything as administrator, you won't give a TDL installer program the chance to change your MBR. And if you have a decent and up-to-date anti-virus, you probably won't be able to run a TDL installer at all. Your anti-virus will probably block it.

Even if you're unlucky enough to get infected, cleaning up isn't too arduous. Many anti-virus programs - including from Sophos and from various of our competitors - can sort out a TDL infection for you. You don't need to wipe your disk, buy a new PC, or reinstall Windows.

TDL may be tricky, and sneakily thought out, and cunningly implemented. It may be a tough analysis problem for security researchers.

But it is NOT indestructible. No malware ever is. Stand down from high alert.

(Don't Panic badge from Jim Linwood's photostream on Flickr.)

(Stop sign from Bad at Sport's blog.)

, , , , , , , , , , ,

You might like

13 Responses to 'Indestructible' rootkit rumours are greatly exaggerated! Stand down from high alert!

  1. I've heard that one of the vectors for TDL-4 is fake AV programs. What if one of those got onto a PC despite an installed and up-to-date Sophos ESC 9.7?

    • Paul Ducklin · 1188 days ago

      As I mentioned - due to the Halting Problem - it's always possible for a new piece of malware to defeat existing defences. That's why I said that things like patching and an up-to-date anti-virus would _probably_ prevent infection.

      You might always be one of the unlucky early victims, of course, or you might inadvertently have a lapse in protection - a missed update, perhaps - at just the wrong moment.

      That's where cleanup comes in. (We try to provide automatic cleanup for all malware where cleanup is practicable.) It lets you disinfect PCs which did get hit, and bring their protection back up to scratch.

      This, of course, applies to all malware, including TDL-4-based malware and the many fake anti-viruses out there...

  2. "LulzSec has sailed away" - The name has but has anyone noticed that AnonymousIRC is picking up the slack. The tweets even feel like they are written by the same person. They have just been absorbed so the threat it still present.

    I find it amusing that by just losing the Lulzsec name everyone seems to think they are gone.

  3. Neil · 1189 days ago

    This misses point (as I understood it from BBC article) of original report - it's not the Rootkit that is difficult to destroy, but the botnet behind it.

    • Readingreading · 1189 days ago

      Yes. This blogger should try to learn reading skills first. Other guys are speaking indestructible botnet and as a "reply" this guys starts to talk about indestructible rootkit. Apples and oranges.

      • Paul Ducklin · 1188 days ago

        This blogger practises reading every morning. His favourite coffee-time haunt is Vulture Central (The Register), which trumpeted this: "Indestructible' rootkit enslaves 4.5m PCs in 3 months." And that headline was re-echoed pretty widely all over the net. We were explicitly by Naked Security readers, "Will you guys write something on this 'indestructible rootkit' thing?"

        I could have entitled the article "indestructible botnet", in any case. The same argments apply. After all, how do you destroy a botnet? You can't easily kill the "net" part any more - and the TDL family is not unique in this regard - because few bots have a central head which can be chopped off. And even if you do behead a botnet, the infections remain.

        You _destroy_ a botnet by getting rid of the _bots_. Sure, rootkit is designed to make the bots harder to find and fix. But it doesn't make it impossible. TDL might be a pain to analyse in the first place, but it isn't a pain to clean up once you know how. That cleanup can be automated - and has been in most decent anti-viruses.

        Ergo, this rootkit, and thus "this botnet", are not indestructible. That's just hype.

        As for "apples and oranges", here's some reading practice, from the Annals of Improbable Research. The paper is entitled "Apples and Oranges - a Comparison" :-) http://improbable.com/airchives/paperair/volume1/...

  4. If you write protect the boot record, would that prevent the virus?

    • @Sophos can you please try to test whether write protecting the fixed boot sector using the BIOS settings really prevent the virus from writing to the MBR. Looking forward to your reply! So far nobody has been able to answer that question.

      • Paul Ducklin · 1188 days ago

        Write-protecting the MBR in the BIOS will not help.

        A TDL infection is carried out by a piece of Windows malware - what's known as a dropper. Writing to the MBR under Windows relies on the protected-mode Windows drivers, not the BIOS.

        The BIOS becomes irrelevant when the CPU shifts from 16-bit real mode into 32 or 64 bit protected mode.

  5. John Parsons · 1188 days ago

    Yeah like you said, it is indeed very preventable if you are a windows update maniac (like me)

    • Pug177 · 1187 days ago

      Pacthing has zero relevance in a social engeneering world.

      • Jingles · 1179 days ago

        Exactly you can't patch a users stupidity. Unfortunately human behavior is the weakest link in security.

  6. Chute y u no open? · 1130 days ago

    If it loads via MBR, wouldn't a cleanup be as simple as inserting a Windows 7 Maintenance CD and using it to restore your Master Boot Record? True it would still be there but if it never loads it cant do any harm.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog