'Indestructible' rootkit rumours are greatly exaggerated! Stand down from high alert!

[PJC]

Is The New TDL-4 Botnet Really 'Indestructible?'

[lotuseclat79]

My understanding of it is that it infects the MBR, so that anyone whom normally backs up will be reinfected through that mechanism - unless they run a Linux Live CD or USB and correct the MBR - then run various updated AV scans against any signatured and/or heuristic malware findings to insure it is clean - then take it off the Internet and back it up with updated patches for the Windows OS, and keep the AV scanners with realtime protection and offline scanning for future connection to the Internet.

Indestructable - nearly, but very, very difficult to coordinate a takedown - so, effectively yes.

-- Tom

[hpmnick]

distributed botnets are always difficult to take down because of the large number of machines infected. You will probably never get so many machines cleaned, and TDSS is difficult to remove in the first place.

[FlimFlam]

The sky is not falling.

Protect your computer.

[PJC]

'Indestructible' rootkit rumors are greatly exaggerated! Stand down from high alert!

[cm1971]

I had my doubts anyway about it being indestructible.

[Carbonyl]

I believe that people are misinterpreting Kaspersky's article on this subject when they claim that TLD4 was called an 'indestructible rootkit'.

No one is arguing that the infection is impossible to remove or combat. What they are referring to is the fact that the BOTNET is extremely difficult to disable. Due to the redundant nature of the command and control mechanisms, and the encryption employed, it's highly unlikely that anyone will be able to defeat the BOTNET but cutting off the head at the C&C.

So, yeah, no one is claiming a TDL4 infection is indestructible. Just that you'll never get it off the web the way other botnets have been felled.

[J_L]

Indeed, Carbonyl is right.

[Spooony]

Quote:

Originally Posted by FlimFlam

The sky is not falling.

Protect your computer.

^+1 and a bit of common sense

[Spooony]

Let the world think a things is super and needs something super awesome to counter it and you will make you money

[Tarnak]

I mind my p's and q's ...or Protect and Quell

[Hungry Man]

Like Spoony said, I hope this continues to scare people. People could use a scare.

[humble3d]

I only use xp so this is what i found:

FIX MBR WITH Bootrec.exe

Use the tool BOOTREC.exe to fix the MBR as in:

bootrec.exe /fixmbr

More information about using the tool BOOTREC.exe available here.

Code:

http://support.microsoft.com/kb/927392

Bootrec.exe options

The Bootrec.exe tool supports the following options. Use the option that is appropriate for your situation.

Note If rebuilding the BCD does not resolve the startup issue, you can export and delete the BCD, and then run this option again. By doing this, you make sure that the BCD is completely rebuilt. To do this, type the following commands at the Windows RE command prompt:

bcdedit /export C:\BCD_Backup
c:
cd boot
attrib bcd -s -h -r
ren c:\boot\bcd bcd.old
bootrec /RebuildBcd

/FixMbr
The /FixMbr option writes a Windows 7 or Windows Vista-compatible MBR to the system partition. This option does not overwrite the existing partition table. Use this option when you must resolve MBR corruption issues, or when you have to remove non-standard code from the MBR.

/FixBoot
The /FixBoot option writes a new boot sector to the system partition by using a boot sector that is compatible with Windows Vista or Windows 7. Use this option if one of the following conditions is true:

The boot sector has been replaced with a non-standard Windows Vista or Windows 7 boot sector.
The boot sector is damaged.
An earlier Windows operating system has been installed after Windows Vista or Windows 7 was installed. In this scenario, the computer starts by using Windows NT Loader (NTLDR) instead of Windows Boot Manager (Bootmgr.exe).

/ScanOs
The /ScanOs option scans all disks for installations that are compatible with Windows Vista or Windows 7. Additionally, this option displays the entries that are currently not in the BCD store. Use this option when there are Windows Vista or Windows 7 installations that the Boot Manager menu does not list.
/RebuildBcd
The /RebuildBcd option scans all disks for installations that are compatible with Windows Vista or Windows 7. Additionally, this option lets you select the installations that you want to add to the BCD store. Use this option when you must completely rebuild the BCD.


Repairs the master boot record of the boot disk. The fixmbr command is only available when you are using the Recovery Console fixmbr [device_name] Parameter ...

Code:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/bootcons_fixmbr.mspx?mfr=true

If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state.

To fix the MBR:

1. Open a Windows Recovery Console
• For Windows XP: Installing and using the Recovery Console in Windows XP
• For Windows Vista: System Recovery Options in Windows Vista
• For Windows 7: System Recovery Options in Windows 7

2. Use the tool BOOTREC.exe to fix the MBR as in:

bootrec.exe /fixmbr

More information about using the tool BOOTREC.exe available here.

Code:

http://support.microsoft.com/kb/927392

3. Restart the computer and you can then scan the system to remove any remaining malware.


If you opt to use Windows Restore to remove the malware instead, you must still fix the MBR first, and then restore the system.

-- Chun Feng

Update 6/28/2011:

MSFT has more info for other os