[real-eyes] 'Indestructible' rootkit rumours are greatly exaggerated! Stand down
- From: Steve <kcpadfoot@xxxxxxxxx>
- To: nut@xxxxxxxxxxxxx, real-eyes@xxxxxxxxxxxxx
- Date: Mon, 04 Jul 2011 21:38:10 -0500
The following great article is from:
http://nakedsecurity.sophos.com/2011/06/30/indestructible-rootkit-rumours-are-greatly-exaggerated-stand-down-from-high-alert/
'Indestructible' rootkit rumours are greatly exaggerated! Stand down
from high alert!
by
Paul Ducklin
on June 30, 2011 |
DON'T PANIC badge
LulzSec has sailed away - if not off the edge of the world, at least
into a part
of space and time from which it can no longer trigger scary headlines.
It seems we needed something to replace LulzSec, and it looks as though
we've found
it. The indestructible rootkit!
The rootkit in question is generally known as TDL-4, because it's the
fourth major
incarnation of the TDL, or TDSS, rootkit family.
So, what are rootkits, and why are they troublesome?
The term rootkit
is a venerable one, going right back to the early years of
cyber-break-and-enter
and malware on UNIX. (You'd think Linux fanbuoys would accept the
existence of malware
on UNIX-type systems as a badge of historical honour, not as an
inconvenient truth
to be glossed over, then ignored, and finally denied.)
After you'd broken into someone's UNIX box and acquired administrative
privileges,
better known as
getting root
, you'd typically upload your favourite package of system modifications
to help you
disguise and maintain your illicit root shell for as long as possible.
For example, you might deploy modified ls and ps
commands, so that file and process listings would have your files and
processes
removed. And you might fiddle with
syslogd so that you could more easily cover your tracks.
And what else would you call your preferred toolkit for hanging on to
root access
but a
rootkit?
On Windows, modern rootkits serve a similar purpose. Briefly put, a
rootkit is a
malware component which serves to hide the presence of other items of
malware, and
possibly also to hide itself. Another term used for this activity is
stealth
, so you'll sometimes hear rootkits called "stealth drivers", or
"stealthers", and
you'll hear the activities of rootkits called "stealthing". The harder a
piece of
malware is to find, and then to clean, the longer its lifespan is likely
to be.
The TDL rootkit family is, indeed, one of the trickiest rootkits around.
The crooks
who wrote it are well aware of that: to the best of my knowledge, you
can't buy
the TDL source code to use with your own malware. It's closed source;
proprietary;
a trade secret. But you can lease time on a botnet which is built around
a TDL rootkit.
Think cloud. Think
MaaS: Malware as a Service.
Hard drive
Recent versions of TDL are particularly sneaky. Once installed, they
don't need any
files on your C: drive at all. They store their files in a secret,
encrypted partition
at the end of your hard disk, just outside the reach and visibility of
Windows. They
launch before Windows itself, using a trick from some of the oldest PC
viruses in
existence.
TDL loads from the MBR (Master Boot Record). The trick here is that the
MBR loads
before any OS (in fact, it's reponsible for bootstrapping the OS of your
choice),
and it loads when the computer is in 16-bit Real Mode. If you're old
enough, think
back to MS-DOS and the BIOS.
That means there is no memory protection and no inter-process security.
Any piece
of code can read and write anywhere in memory and on disk. So TDL is
pretty much
a miniature malware-oriented operating system. It messes with Windows
memory even
as the OS loads, injecting itself into Windows right from the very
start. At that
time, loosely put, there is no security at all.
Fascinating stuff. But is it indestructible? Is any malware truly
indestructible?
Of course not.
Stop sign
There's a fascinating part of the theory of computation known as the
Halting Problem
. Greatly oversimplified, it says that no computer program can
guarantee, in finite
time, to predict the behaviour of all other programs.
Cast into other clothes, the Halting Problem can be used to show that
you can't write
an anti-virus that will detect all possible viruses. You'll always need
updates.
But there's a neat corollary. You can never write a virus which will
evade all possible
anti-virus programs, either.
So none of the TDL-rootkit-based malware is indestructible.
Better yet, sensible security precautions can stop you getting infected
in the first
place. If you patch regularly, you're much less likely to suffer a
drive-by
malware install. If you don't run everything as administrator, you
won't give a
TDL installer program the chance to change your MBR. And if you have a
decent and
up-to-date anti-virus, you probably won't be able to run a TDL installer
at all.
Your anti-virus will probably block it.
Even if you're unlucky enough to get infected, cleaning up isn't too
arduous. Many
anti-virus programs - including from Sophos and from various of our
competitors -
can sort out a TDL infection for you. You don't need to wipe your disk,
buy a new
PC, or reinstall Windows.
TDL may be tricky, and sneakily thought out, and cunningly implemented.
It may be
a tough analysis problem for security researchers.
But it is NOT indestructible. No malware ever is. Stand down from high
alert.
To subscribe or to leave the list, or to set other subscription options, go to
www.freelists.org/list/real-eyes
Other related posts:
- » [real-eyes] 'Indestructible' rootkit rumours are greatly exaggerated! Stand down - Steve
