'Indestructible' rootkit rumours are greatly exaggerated! Stand down from high alert!

Discussion in 'malware problems & news' started by PJC, Jul 1, 2011.

Thread Status:
Not open for further replies.
  1. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
  2. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,091
    Re: Is The New TDL-4 Botnet Really 'Indestructible?'

    My understanding of it is that it infects the MBR, so that anyone whom normally backs up will be reinfected through that mechanism - unless they run a Linux Live CD or USB and correct the MBR - then run various updated AV scans against any signatured and/or heuristic malware findings to insure it is clean - then take it off the Internet and back it up with updated patches for the Windows OS, and keep the AV scanners with realtime protection and offline scanning for future connection to the Internet.

    Indestructable - nearly, but very, very difficult to coordinate a takedown - so, effectively yes.

    -- Tom
     
  3. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    Re: Is The New TDL-4 Botnet Really 'Indestructible?'

    distributed botnets are always difficult to take down because of the large number of machines infected. You will probably never get so many machines cleaned, and TDSS is difficult to remove in the first place.
     
  4. FlimFlam

    FlimFlam Registered Member

    Joined:
    May 23, 2011
    Posts:
    42
    Re: Is The New TDL-4 Botnet Really 'Indestructible?'

    The sky is not falling.

    Protect your computer.
     
  5. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
  6. cm1971

    cm1971 Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    727
    I had my doubts anyway about it being indestructible. :D
     
  7. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    I believe that people are misinterpreting Kaspersky's article on this subject when they claim that TLD4 was called an 'indestructible rootkit'.

    No one is arguing that the infection is impossible to remove or combat. What they are referring to is the fact that the BOTNET is extremely difficult to disable. Due to the redundant nature of the command and control mechanisms, and the encryption employed, it's highly unlikely that anyone will be able to defeat the BOTNET but cutting off the head at the C&C.

    So, yeah, no one is claiming a TDL4 infection is indestructible. Just that you'll never get it off the web the way other botnets have been felled.
     
  8. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Indeed, Carbonyl is right.
     
  9. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    Re: Is The New TDL-4 Botnet Really 'Indestructible?'

    ^+1 and a bit of common sense
     
  10. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    Let the world think a things is super and needs something super awesome to counter it and you will make you money
     
  11. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,873
    Re: Is The New TDL-4 Botnet Really 'Indestructible?'

    I mind my p's and q's ...or Protect and Quell :D
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Re: Is The New TDL-4 Botnet Really 'Indestructible?'

    Like Spoony said, I hope this continues to scare people. People could use a scare.
     
  13. humble3d

    humble3d Registered Member

    Joined:
    Jan 31, 2003
    Posts:
    12
    I only use xp so this is what i found:

    FIX MBR WITH Bootrec.exe

    Use the tool BOOTREC.exe to fix the MBR as in:

    bootrec.exe /fixmbr

    More information about using the tool BOOTREC.exe available here.

    Code:
    http://support.microsoft.com/kb/927392

    Bootrec.exe options

    The Bootrec.exe tool supports the following options. Use the option that is appropriate for your situation.

    Note If rebuilding the BCD does not resolve the startup issue, you can export and delete the BCD, and then run this option again. By doing this, you make sure that the BCD is completely rebuilt. To do this, type the following commands at the Windows RE command prompt:

    bcdedit /export C:\BCD_Backup
    c:
    cd boot
    attrib bcd -s -h -r
    ren c:\boot\bcd bcd.old
    bootrec /RebuildBcd

    /FixMbr
    The /FixMbr option writes a Windows 7 or Windows Vista-compatible MBR to the system partition. This option does not overwrite the existing partition table. Use this option when you must resolve MBR corruption issues, or when you have to remove non-standard code from the MBR.

    /FixBoot
    The /FixBoot option writes a new boot sector to the system partition by using a boot sector that is compatible with Windows Vista or Windows 7. Use this option if one of the following conditions is true:

    The boot sector has been replaced with a non-standard Windows Vista or Windows 7 boot sector.
    The boot sector is damaged.
    An earlier Windows operating system has been installed after Windows Vista or Windows 7 was installed. In this scenario, the computer starts by using Windows NT Loader (NTLDR) instead of Windows Boot Manager (Bootmgr.exe).

    /ScanOs
    The /ScanOs option scans all disks for installations that are compatible with Windows Vista or Windows 7. Additionally, this option displays the entries that are currently not in the BCD store. Use this option when there are Windows Vista or Windows 7 installations that the Boot Manager menu does not list.
    /RebuildBcd
    The /RebuildBcd option scans all disks for installations that are compatible with Windows Vista or Windows 7. Additionally, this option lets you select the installations that you want to add to the BCD store. Use this option when you must completely rebuild the BCD.


    Repairs the master boot record of the boot disk. The fixmbr command is only available when you are using the Recovery Console fixmbr [device_name] Parameter ...

    Code:
    http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/bootcons_fixmbr.mspx?mfr=true

    If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state.

    To fix the MBR:

    1. Open a Windows Recovery Console
    • For Windows XP: Installing and using the Recovery Console in Windows XP
    • For Windows Vista: System Recovery Options in Windows Vista
    • For Windows 7: System Recovery Options in Windows 7

    2. Use the tool BOOTREC.exe to fix the MBR as in:

    bootrec.exe /fixmbr

    More information about using the tool BOOTREC.exe available here.

    Code:
    http://support.microsoft.com/kb/927392

    3. Restart the computer and you can then scan the system to remove any remaining malware.


    If you opt to use Windows Restore to remove the malware instead, you must still fix the MBR first, and then restore the system.

    -- Chun Feng

    Update 6/28/2011:

    MSFT has more info for other os




     
Loading...
Thread Status:
Not open for further replies.