World's most advanced rootkit penetrates 64-bit Windows

[Gary]

Quote 'notorious rootkit that for years has ravaged 32-bit versions of Windows has begun claiming 64-bit versions of the Microsoft operating system as well.

The ability of TDL, aka Alureon, to infect 64-bit versions of Windows 7 is something of a coup for its creators, because Microsoft endowed the OS with enhanced security safeguards that were intended to block such attacks. The rootkit crossed into the 64-bit realm sometime in August, according to security firm Prevx.

According to research published on Monday by GFI Software, the latest TDL4 installation penetrates 64-bit versions of Windows by bypassing the OS's kernel mode code signing policy, which is designed to allow drivers to be installed only when they have been digitally signed by a trusted source. The rootkit achieves this feat by attaching itself to the master boot record in a hard drive's bowels and changing the machine's boot options'

More information Here

The Malware fight is one I think we will never win, each month its more ferocious it seems 

[Simon]

[D-Dan]

The fight is over here - this prevents 99.99% of all known malware - Protection

Steve

[armadillo]

More information Here

The Malware fight is one I think we will never win, each month its more ferocious it seems 

Good grief! Followed your link through to the detailed article written by Prevx, explaining how the rootkit works. Ferocious is the word. The level of understanding and intellectual ability possessed by the malware writers is incredible. What a waste of talent.

[Gary]

Good grief! Followed your link through to the detailed article written by Prevx, explaining how the rootkit works. Ferocious is the word. The level of understanding and intellectual ability possessed by the malware writers is incredible. What a waste of talent.

If they worked for the security industry...we may have a chance maybe.

[armadillo]

The fight is over here - this prevents 99.99% of all known malware - Protection

Steve

LOL.

Trouble is, it also prevents 99.99% of all known software

If ever its penetration becomes large enough to make software development for it worthwhile, it will become the target for malware too.

[D-Dan]

LOL.

Trouble is, it also prevents 99.99% of all known software

Which software are you thinking of? There are Linux versions or equivalents of just about anything you can think of, all free. And for those rare cases where the Windows version is an absolute must, there's wine (not the drink, the compatibility layer).

It'll even run Windows games if you are so inclined (I enjoy Trackmania whichever OS I use)

Steve

[Gary]

The fight is over here - this prevents 99.99% of all known malware - Protection

Steve

I agree but getting Linux onto more machines is the hard part, even though its getting better, With the vast majority of PC World style buyers its always going to be windows. That's where the battle is always going to be, and now  OS X as well. Still being in the minority has its advantages  

[armadillo]

Quite, Gary! Presents an interesting moral dilemma, doesn't it? It means going out and actively recruiting malware developers into security software vendors.

[Simon]

They probably do! 

[Gary]

Quite, Gary! Presents an interesting moral dilemma, doesn't it? It means going out and actively recruiting malware developers into security software vendors.

Prevx did, hence their view on the security world and their behavioural based security, thing is the money is where the crime is now for alot of the sharp minds that develop these nasties.

[armadillo]

Prevx did, hence their view on the security world and their behavioural based security, thing is the money is where the crime is now for alot of the sharp minds that develop these nasties.

Good on Prevx for having the courage to do that. Social engineering is the hard part. More people are prepared to pay for special offers and cheap deals offered by spam and adware than will pay for legitimate software. So the criminal side have more money available for recruitment than the good guys. Not sure how to engineer around that.

[Gary]

Good on Prevx for having the courage to do that. Social engineering is the hard part. More people are prepared to pay for special offers and cheap deals offered by spam and adware than will pay for legitimate software. So the criminal side have more money available for recruitment than the good guys. Not sure how to engineer around that.

The fact you get technical support for the Malware you can buy shows how much its gone past the old script kiddies to a major business now  As for greed, as VAT goes up and the cuts deepen, people will just become more vulnerable, sometimes out of desperation I fear. As for the ones that just use pirated software...I knew a guy who would build a pc costing say £2000 then use pirated Windows and AV etc, now that just never made sense to me. 

[Rik]

It's like drivers who buy flash cars but don't insure them, Gary.

[armadillo]

.I knew a guy who would build a pc costing say £2000 then use pirated Windows and AV etc, now that just never made sense to me.  

It seems to be an interesting part of human psychology that we compartmentalise our spending. The same person who goes out and spends £2000 on a new widescreen flat TV may be the same person who seeks out a bogof offer on cornflakes in Tescos.

There was also some research that showed that one of the most effective measures in helping drug addicts to overcome their addiction was paying them a modest reward for each week they can prove they have been drug-free. A £5 per week reward was enough. It was even effective when the person might have been spending £1000 a week on drugs. There is no logic to that but we do not behave logically, do we Mr Spock?

[Gary]

It's like drivers who buy flash cars but don't insure them, Gary.

Very true, Rik. 

[armadillo]

Which software are you thinking of? There are Linux versions or equivalents of just about anything you can think of, all free. And for those rare cases where the Windows version is an absolute must, there's wine (not the drink, the compatibility layer).

Steve

I think of things like Photoshop, where if you use a substitute, you have to learn a new and complex interface. Photoshop is itself complex but at least I am familiar with it. I have not got the energy to learn GIMP.

Then things that also have a hardware interface. Monitor calibration and profiling. So you want software to operate the colorimeter in the first place (I use basICColor Display4) and then it has a run time LUT loader to place its LUT into the graphics card's LUT. That kind of thing is a real pain to find in minority OSs. So yes, you can use something else but I want to use the software I choose and I do not want to be pushed by cyber terrorists into abandoning the choices I like.

I am sure there are workarounds but Linux is still geek territory, not mass market stuff. And, as I said, as soon as it is, it will be targeted.

[Rik]

I'm with you, Dill. When there's a version of Photoshop for Linux, it might be an option for me, but not till then.

[DorsetBoy]

I'm with you, Dill. When there's a version of Photoshop for Linux, it might be an option for me, but not till then.

No excuse not to change then 

http://apcmag.com/google_behind_photoshops_new_linux_compatibility.htm


http://www.junauza.com/2010/02/how-to-install-adobe-photoshop-on.html


http://www.google.co.uk/search?client=opera&rls=en&q=Photoshop+for+Linux,&sourceid=opera&ie=utf-8&oe=utf-8

[Rik]

Then there's the fonts...

[D-Dan]

Which particular fonts? MS core fonts are available, and Linux supports TTF and PS fonts natively.

Steve

[Rik]

I have the entire Adobe Font Folio in Windows format, Steve.

[D-Dan]

I think of things like Photoshop, where if you use a substitute, you have to learn a new and complex interface. Photoshop is itself complex but at least I am familiar with it. I have not got the energy to learn GIMP.

Then things that also have a hardware interface. Monitor calibration and profiling. So you want software to operate the colorimeter in the first place (I use basICColor Display4) and then it has a run time LUT loader to place its LUT into the graphics card's LUT. That kind of thing is a real pain to find in minority OSs. So yes, you can use something else but I want to use the software I choose and I do not want to be pushed by cyber terrorists into abandoning the choices I like.

There's a wealth of calibration tools for Linux - http://en.wikipedia.org/wiki/Linux_color_management

Steve

[D-Dan]

I have the entire Adobe Font Folio in Windows format, Steve.

I'm pretty sure they can be made to work with minimal fuss (about as much fuss as you would find with Windows, anyway)

Steve

[Rik]

It was never true if you tried to use them on a Mac, Steve.

[D-Dan]

Before anyone accuses me of being a Linux fanboy here, I'm simply trying to clear up the common misapprehension that because Linux is free it won't do what you want it too. In recent years Linux has matured to a level where if you can do it in Windows, you can do it in Linux (and more - compiz and emerald for Windows, anyone - and don't mention the resource hog that is WindowBlinds, since that doesn't do all that compiz and emerald can).

I use both Mint 10 and Windows 7 interchangably. In some cases I have the same programs sharing their resources on both OS's (Thunderbird on both uses the same profile folder, for example, so any changes or customisations on one OS apply to the other as well, and no need to synchronise).

Granted, some things are more difficult in Linux than in Windows, and some things are just different. Having said that, the majority of hardware just works in Linux without having to go hunting for drivers and rebooting 3 times before your printer will work, for example. And updates in Linux cover all installed apps as well as the OS, as opposed to Windows where you have to update the apps separately and individually, so the opposite is also true.

I'd simply like the naysayers to open their minds (and maybe give it a go, possibly using VirtualBox on Windows. If you decide to switch, you can always install Windows using VirtualBox on Linux to get your Windows fix

Steve

[D-Dan]

It was never true if you tried to use them on a Mac, Steve.

Mac is a closed system, Linux is an open system. The difference means that anyone using Linux who needed to use those fonts themselves could have written the necessary software to do so and released it to the community. One of the joys of open source - if it's broke someone will fix it, and if it's missing someone will make it.

Steve

[armadillo]

There's a wealth of calibration tools for Linux - http://en.wikipedia.org/wiki/Linux_color_management

Steve

# Many hardware devices for color calibration lack drivers and proper supporting software on Linux.
# Some necessary software such as LUT loaders can seldom be found in the package repositories of even the major Linux distributions.

And also this strange advice:

For mainstream monitors, a couple of options exist. BasICColor software, which works with most colorimeters on the market, allows one to adjust display output via the monitor interface, and then to choose a "Profile, do not calibrate" option. By doing this, one can create a profile that does not require video card LUT adjustments

which is all very well, but unless the monitor is DDC capable, all that does is to produce a correct profile for an incorrectly calibrated monitor. BasICColor is the software I actually use and, with LUT tables it is one of the very best.

The trouble with all the juggling is that it is not necessary when using the huge choice of working code developed for Windows.

Windows may not be great but it is much less heavy going than jumping through the Linux hoops unless you enjoy that.

[armadillo]

No excuse not to change then 

Yes, you're right.

I just love systems that make me input commands like

sh winetricks msxml6 gdiplus gecko vcrun2005

when I want to instal software

[D-Dan]

Yes, you're right.

I just love systems that make me input commands like

sh winetricks msxml6 gdiplus gecko vcrun2005

when I want to instal software

Don't believe everything you read. The exact same thing can be achieved using the package manager with a couple of mouse clicks. The problem with online Linux help is that it's written by the geeks who prefer to use the commandline. Most average users will never need to go near it.

Steve

[armadillo]

I give in!

[D-Dan]

I give in!

- Installing tonight, then?

[armadillo]

Maybe not tonight. I might give it a go if I ever get to a point where I would need to reinstal Windows or move away from XP. I built this PC in 2004.

Time taken to choose and order components - approx 20 hours over elapsed 2 weeks
Time to build PC - 4 hours
Time to instal Windows XP - one hour
Time to instal and configure my programs - approx 270 hours over an elapsed 3 months

Repeating step 4 in a different OS, and even a new version of Windows would count as that, is not something I will undertake lightly.

For as long as I can continue in XP on this machine, for which I also have spare parts for every component, I am unlikely to be trying out Linux. Equally unlikely to try Windows 7.

[Rik]

Time to instal and configure my programs - approx 270 hours over an elapsed 3 months

I know just how you feel, Dill. Once it's working, I don't want to play any further, just get on with the job.

[D-Dan]

Maybe not tonight. I might give it a go if I ever get to a point where I would need to reinstal Windows or move away from XP. I built this PC in 2004.

...

Time to instal Windows XP - one hour
Time to instal and configure my programs - approx 270 hours over an elapsed 3 months

Conversely, time to install Linux Mint - approx 20 - 30 minutes.
Time to install and configure programs (assuming a reasonable internet speed) - less than 24 hours. I installed and configured my system in 8 hours.

It is helped somewhat on Linux by having a central repository for all software, being able to simply choose all the programs that you want, and let Linux get on with it whilst you do something more productive with your time, many essentials being installed with the OS (OpenOffice, CD/DVD Burning, graphics, media players etc.), and by and large not having to worry about sourcing and installing the majority of drivers.

As an example of my last point, I have a TV USB Dongle that didn't just work out of the tin on Linux. To get it going I had to download the firmware file (10 seconds) and copy it to a folder. Job done. No messy installation scripts. Conversely, it took me two days to get the same dongle working on Win 7.

Steve

[Rik]

Serves you right, Steve, you shouldn't be wasting your time on TV. 

[armadillo]

Conversely, time to install Linux Mint - approx 20 - 30 minutes.
Time to install and configure programs (assuming a reasonable internet speed) - less than 24 hours. I installed and configured my system in 8 hours.

Most of my time was configuring. I do not think I needed internet access for any of it. I have about 160 installed Windows programs, about 30 stand alone programs that do not need installing, just runnable as free standing exe with or without configuring. I also make use of a wonderful free, opensource windows scripting language (autohotkey) in which I have written a couple of hundred scripts to work with various programs. I have around 150 desktop icons. I think it would take me more than 8 hours to explain what all my programs are, never mind configure them!

So you see, if I were to ditch windows, I would have to find replacements for all that lot. And I can see no benefit in doing so, even though it might all be possible. I have no problems at all with my Windows machine.

[D-Dan]

LOL - I have 3 desktop icons on each of my Windows and Linux desktops. I hate all that clutter.

I also have my start menu configured into categories and sub-categories so that I can easily find what I want.

Maybe I'm just anal lol.

Steve

[Rik]

Have you asked your proctologist? 

[armadillo]

LOL - I have 3 desktop icons on each of my Windows and Linux desktops. I hate all that clutter.

I also have my start menu configured into categories and sub-categories so that I can easily find what I want.

So is mine. But it is so big that it does not fit on the screen!

Maybe I'm just anal lol.

Well, you're certainly not like me with my 26 years worth of empty boxes in my attic. I am a clutter addict. I love it.

[armadillo]

Have you asked your proctologist? 

[Rik]

Well, you're certainly not like me with my 26 years worth of empty boxes in my attic. I am a clutter addict. I love it.

24 here.

[Gary]

I can't look, I fear Justina has removed some when I have been asleep 

[Rik]

I didn't realise her name was Bobbit.

[DorsetBoy]

Back on topic 

How it works >>

http://sunbeltblog.blogspot.com/2010/11/how-tld4-rootkit-gets-around-driver.html


And how to remove it >>

TDSS Killer

http://support.kaspersky.com/viruses/solutions?qid=208280684

Perhaps we should all have a copy of this to hand, you wont be able to download it after the event.

[Rik]

Good idea, Dorset, done and dusted.

[mrapoc]

Wow things are really get hard to prevent now! As to linux i installe mint on my sisters laptop in about twenty minutes. Within ten minutes i had the network printer installed and the wireless by clicking here and there. No code. No downloading firmware and building etc. My kind of distro oh and everythin works from flash to dvd

[armadillo]

Thanks Dorset. Out of interest, I downloaded and ran it. Of course, it found nothing and was not followed by any suspicious activity.

How would we know that such a scanner had not itself been targeted by hackers in such a way as to make it instal the rootkit we thought we were scanning for? After all, rogue AV works by tricking users into running it.

I would guess the absence of any activity afterwards would be reassuring after the event as was scanning it with Nod32 before executing it.

I also notice that Kaspersky do not describe any symptoms other than ones which it takes a great deal of geek knowledge to understand (using special scanners to look for weird processes). Have you (or anyone) seen any links which describe symptoms that normal users would recognise?

[DorsetBoy]

http://en.wikipedia.org/wiki/Alureon

http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99&tabid=2

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/inactive-malware-help-topics/136675-alureon-family-virus-moved-xp.html

Pop ups, redirected searches, slow performance, BSOD and restarts and unexpected network activity are just a few of the signs. Get tools /utilities only from trusted sources and double check them with other AV/Malware scanners is all you can do.

[armadillo]

Thanks Dorset. Just the usual symptoms of Trojans then. The Symantec link is nice and detailed and still intelligible. Trusted sources and scanning the tools with other checkers is what I always do too. I also check out direct links to software by searching for it from the host website's home page. So for example, for that Kaspersky scanner, I searched the Kaspersky KB from their own home page.

[esh]

The important thing seems to be that you still need to a run a file which acts as a dropper, which will no doubt ask for UAC permission. It's not an entirely silent threat at least.

As for Linux... it's a mixed bag. The updates break things far more than Windows ones these days for me. This usually means I don't actually update Linux more than once a year anymore, I just drag my workstation home and do it then and settle in for the weekend trying to get the thing to boot afterwards. Software is hit and miss. MATLAB is far buggier on Linux I have found. I've never tried Photoshop in WinE. I never found a good non-linear video editor for Linux and Lightwave is also a no-go. Performance is fine (I just use fluxbox directly on top of X as at least I can compile that in about a minute, I tried compiling KDE once.... 45 minutes later....), except when I'm seeing high disk throughput then the system just becomes unuseable until it's finished. Once it's up though, it's stable as a rock. Up for hundreds of days at a time.

[Technical Ben]

I'd just like to be able to edit my program settings files without being told "access denied" by notepad. Copy/pasting things to my desktop so they don't have UAC blocking access to them is getting annoying.

Might go get me some rootkits. 

[Rik]

See your dentist, Ben, they can give you ready made root canals.