[real-eyes] 'Indestructible' rootkit rumours are greatly exaggerated! Stand down

  • From: Steve <kcpadfoot@xxxxxxxxx>
  • To: nut@xxxxxxxxxxxxx, real-eyes@xxxxxxxxxxxxx
  • Date: Mon, 04 Jul 2011 21:38:10 -0500

The following great article is from:

'Indestructible' rootkit rumours are greatly exaggerated! Stand down 
from high alert!
Paul Ducklin
  on June 30, 2011      |
LulzSec has sailed away - if not off the edge of the world, at least 
into a part
of space and time from which it can no longer trigger scary headlines.
It seems we needed something to replace LulzSec, and it looks as though 
we've found
it. The indestructible rootkit!
The rootkit in question is generally known as TDL-4, because it's the 
fourth major
incarnation of the TDL, or TDSS, rootkit family.
So, what are rootkits, and why are they troublesome?
The term rootkit
  is a venerable one, going right back to the early years of 
and malware on UNIX. (You'd think Linux fanbuoys would accept the
existence of malware
  on UNIX-type systems as a badge of historical honour, not as an 
inconvenient truth
to be glossed over, then ignored, and finally denied.)
After you'd broken into someone's UNIX box and acquired administrative 
better known as
getting root
, you'd typically upload your favourite package of system modifications 
to help you
disguise and maintain your illicit root shell for as long as possible.
For example, you might deploy modified ls and ps
  commands, so that file and process listings would have your files and 
removed. And you might fiddle with
syslogd so that you could more easily cover your tracks.
And what else would you call your preferred toolkit for hanging on to 
root access
but a
On Windows, modern rootkits serve a similar purpose. Briefly put, a 
rootkit is a
malware component which serves to hide the presence of other items of 
malware, and
possibly also to hide itself. Another term used for this activity is
, so you'll sometimes hear rootkits called "stealth drivers", or 
"stealthers", and
you'll hear the activities of rootkits called "stealthing". The harder a 
piece of
malware is to find, and then to clean, the longer its lifespan is likely 
to be.
The TDL rootkit family is, indeed, one of the trickiest rootkits around. 
The crooks
who wrote it are well aware of that: to the best of my knowledge, you
can't buy
  the TDL source code to use with your own malware. It's closed source; 
a trade secret. But you can lease time on a botnet which is built around 
a TDL rootkit.
Think cloud. Think
MaaS: Malware as a Service.
Hard drive
Recent versions of TDL are particularly sneaky. Once installed, they 
don't need any
files on your C: drive at all. They store their files in a secret, 
encrypted partition
at the end of your hard disk, just outside the reach and visibility of 
Windows. They
launch before Windows itself, using a trick from some of the oldest PC 
viruses in
TDL loads from the MBR (Master Boot Record). The trick here is that the 
MBR loads
before any OS (in fact, it's reponsible for bootstrapping the OS of your 
and it loads when the computer is in 16-bit Real Mode. If you're old 
enough, think
back to MS-DOS and the BIOS.
That means there is no memory protection and no inter-process security. 
Any piece
of code can read and write anywhere in memory and on disk. So TDL is 
pretty much
a miniature malware-oriented operating system. It messes with Windows 
memory even
as the OS loads, injecting itself into Windows right from the very 
start. At that
time, loosely put, there is no security at all.
Fascinating stuff. But is it indestructible? Is any malware truly 
Of course not.
Stop sign
There's a fascinating part of the theory of computation known as the
Halting Problem
. Greatly oversimplified, it says that no computer program can 
guarantee, in finite
time, to predict the behaviour of all other programs.
Cast into other clothes, the Halting Problem can be used to show that 
you can't write
an anti-virus that will detect all possible viruses. You'll always need 
But there's a neat corollary. You can never write a virus which will 
evade all possible
anti-virus programs, either.
So none of the TDL-rootkit-based malware is indestructible.
Better yet, sensible security precautions can stop you getting infected 
in the first
place. If you patch regularly, you're much less likely to suffer a
  malware install. If you don't run everything as administrator, you 
won't give a
TDL installer program the chance to change your MBR. And if you have a 
decent and
up-to-date anti-virus, you probably won't be able to run a TDL installer 
at all.
Your anti-virus will probably block it.
Even if you're unlucky enough to get infected, cleaning up isn't too 
arduous. Many
anti-virus programs - including from Sophos and from various of our 
competitors -
can sort out a TDL infection for you. You don't need to wipe your disk, 
buy a new
PC, or reinstall Windows.
TDL may be tricky, and sneakily thought out, and cunningly implemented. 
It may be
a tough analysis problem for security researchers.
But it is NOT indestructible. No malware ever is. Stand down from high 
To subscribe or to leave the list, or to set other subscription options, go to 

Other related posts:

  • » [real-eyes] 'Indestructible' rootkit rumours are greatly exaggerated! Stand down - Steve