‘Indestructible’ rootkit rumours are greatly exaggerated! Stand down from high alert!

DON'T PANIC badgeLulzSec has sailed away – if not off the edge of the world, at least into a part of space and time from which it can no longer trigger scary headlines.

It seems we needed something to replace LulzSec, and it looks as though we’ve found it. The indestructible rootkit!

The rootkit in question is generally known as TDL-4, because it’s the fourth major incarnation of the TDL, or TDSS, rootkit family.

So, what are rootkits, and why are they troublesome?

The term rootkit is a venerable one, going right back to the early years of cyber-break-and-enter and malware on UNIX. (You’d think Linux fanbuoys would accept the existence of malware on UNIX-type systems as a badge of historical honour, not as an inconvenient truth to be glossed over, then ignored, and finally denied.)

After you’d broken into someone’s UNIX box and acquired administrative privileges, better known as getting root, you’d typically upload your favourite package of system modifications to help you disguise and maintain your illicit root shell for as long as possible.

For example, you might deploy modified ls and ps commands, so that file and process listings would have your files and processes removed. And you might fiddle with syslogd so that you could more easily cover your tracks.

And what else would you call your preferred toolkit for hanging on to root access but a rootkit?

On Windows, modern rootkits serve a similar purpose. Briefly put, a rootkit is a malware component which serves to hide the presence of other items of malware, and possibly also to hide itself. Another term used for this activity is stealth, so you’ll sometimes hear rootkits called “stealth drivers”, or “stealthers”, and you’ll hear the activities of rootkits called “stealthing”. The harder a piece of malware is to find, and then to clean, the longer its lifespan is likely to be.

The TDL rootkit family is, indeed, one of the trickiest rootkits around. The crooks who wrote it are well aware of that: to the best of my knowledge, you can’t buy the TDL source code to use with your own malware. It’s closed source; proprietary; a trade secret. But you can lease time on a botnet which is built around a TDL rootkit. Think cloud. Think MaaS: Malware as a Service.

Hard driveRecent versions of TDL are particularly sneaky. Once installed, they don’t need any files on your C: drive at all. They store their files in a secret, encrypted partition at the end of your hard disk, just outside the reach and visibility of Windows. They launch before Windows itself, using a trick from some of the oldest PC viruses in existence.

TDL loads from the MBR (Master Boot Record). The trick here is that the MBR loads before any OS (in fact, it’s reponsible for bootstrapping the OS of your choice), and it loads when the computer is in 16-bit Real Mode. If you’re old enough, think back to MS-DOS and the BIOS.

That means there is no memory protection and no inter-process security. Any piece of code can read and write anywhere in memory and on disk. So TDL is pretty much a miniature malware-oriented operating system. It messes with Windows memory even as the OS loads, injecting itself into Windows right from the very start. At that time, loosely put, there is no security at all.

Fascinating stuff. But is it indestructible? Is any malware truly indestructible?

Of course not.

Stop signThere’s a fascinating part of the theory of computation known as the Halting Problem. Greatly oversimplified, it says that no computer program can guarantee, in finite time, to predict the behaviour of all other programs.

Cast into other clothes, the Halting Problem can be used to show that you can’t write an anti-virus that will detect all possible viruses. You’ll always need updates. But there’s a neat corollary. You can never write a virus which will evade all possible anti-virus programs, either.

So none of the TDL-rootkit-based malware is indestructible.

Better yet, sensible security precautions can stop you getting infected in the first place. If you patch regularly, you’re much less likely to suffer a drive-by malware install. If you don’t run everything as administrator, you won’t give a TDL installer program the chance to change your MBR. And if you have a decent and up-to-date anti-virus, you probably won’t be able to run a TDL installer at all. Your anti-virus will probably block it.

Even if you’re unlucky enough to get infected, cleaning up isn’t too arduous. Many anti-virus programs – including from Sophos and from various of our competitors – can sort out a TDL infection for you. You don’t need to wipe your disk, buy a new PC, or reinstall Windows.

TDL may be tricky, and sneakily thought out, and cunningly implemented. It may be a tough analysis problem for security researchers.

But it is NOT indestructible. No malware ever is. Stand down from high alert.

(Don’t Panic badge from Jim Linwood’s photostream on Flickr.)

(Stop sign from Bad at Sport’s blog.)