Web Concepts

Posts Tagged ‘malware’

An elusive malware program has quietly co-opted more than four million PCs, and no one seems to know how to stop it.

There’s no question that Golovanov and Soumenkov know their stuff, and their analysis of the emerging TDL-4 threat is thorough. But can a malicious program really be indestructible?

What is TDL-4?

TDL-4 is the fourth generation of the TDL malware (Kapersky also identifies the family as TDSS), and Golovanov and Soumenkov call it “the most sophisticated threat today.” In that, we can likely agree with them. TDL-4 packs all kinds of neat/scary tricks to conceal itself deep within hard drives, evading most virus scanning software as well as more proactive detection methods. It communicates in encrypted code, and contains a serious rootkit component--a rootkit being a program that allows an operator access to a computer even while hiding itself from the user, network administrators and automated security measures.

TDL-4 isn't one itself, but it's malicious because it facilitates the creation of a botnet--a network of infected computers that can be used in concert to carry out tasks like distributed denial-of-service attacks (which have been used to take down many major servers, including The Pirate Bay, Twitter, Facebook, and MasterCard.com), the installation of adware and spyware, or spamming. It currently has 4.5 million machines under its control and counting. The infecting file is usually found lurking around adult sites, pirated media hubs, and video and media storage sites.

What Makes It “Indestructible?”

Golovanov and Soumenkov summarize this nicely: "The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down. The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and antivirus companies."

First things first: location, location, location. Once inside, TDL-4 takes up residence in the master boot record (MBR), which means it can run before the computer is actually booted up. The MBR is also rarely combed over by a standard anti-virus scanner, giving TDL added invisibility.

Then, TDL-4 does something else quite clever: it runs its own anti-virus program. The software contains code to remove around 20 of the most common malicious programs, wiping an infected machine clean of everyday malware that might draw a user’s attention or cause an administrator to take a closer look. It can then download whatever malicious software it wants to in the place of the deleted programs. This version of TDL-4 also has added modules, like one that “fraudulently manipulates advertising systems and search engines” and another that establishes proxy servers on infected machines, which can be used to facilitate and hide other malicious cyber actions.

But critical to TDL-4’s indestructibility is the way it communicates between bots. There are a few things at play here. First, and perhaps most central, is a clever algorithm that encrypts the communication protocol between bots and the botnet command. This makes it virtually pointless to monitor traffic between the command server and infected machines.

But couldn’t you trace those commands, encrypted though they may be, back to the source to catch the bad guys? TDL-4 has a trick up its sleeve here as well, this time in the form of a public peer-to-peer file sharing network called Kad. TDL-4’s creators can issue several commands to their bot machines over this P2P network. This is key, because it means that if TDL-4’s command servers get shut down, the program’s creators can still access all the infected machines out there. In essence, command servers aren’t really necessary at all. Destroying TDL-4 at the source is more or less impossible, because the source is distributed across the botnet network. There really is no single source.

But Is It Really “Indestructible?”

Writing for Infoworld today, Roger Grimes makes a valid point: “As a 24-year veteran of the malware wars, I can safely tell you that no threat has appeared that the antimalware industry and OS vendors did not successfully respond to. It may take months or years to kill off something, but eventually the good guys get it right.”

Grimes’ approach is the level-headed one. At one point Conficker was going to destroy the entire Internet as we knew it, but here we are today getting our daily dose of carefree lulz on the Web. TDL-4 will continue to confound and frustrate security experts for years most likely. But this too shall pass.

But that doesn’t mean Golovanov and Soumenkov are necessarily wrong to call TDL-4 “indestructible.” Perhaps the most noteworthy part of its title is the “4.” It’s just one bad seed in a malicious multigenerational family.

“We have reason to believe that TDSS will continue to evolve,” they write. “The fact that TDL-4 code shows active development — a rootkit for 64-bit systems, the malware running prior to operating system start launches, the use of exploits from Stuxnet’s arsenal, P2P technology, its own ‘antivirus’ and a lot more — place TDSS firmly in the ranks of the most technologically sophisticated, and most complex to analyze, malware.”

That is, until TDL-5.

The attack was sophisticated, ORNL’s deputy director said, akin to the attacks that hit Google last year and security firm RSA just last month. The malware got inside through a pretty standard spear-phishing scheme in which an email posing as a note from human resources linked users to a malicious Web page that installed malware to their terminals.

Of 530 emails sent (out of about 5,000 total workers) only 57 users clicked through. From those, only two machines were actually compromised. But that was enough. On April 11 admins noticed a server was breached when data began flowing outward, but they were able to quickly head that attack off and disinfect the server. But apparently another set of code was laying dormant elsewhere in the system, and on Friday evening it began exfiltrating data from a number of servers.

That’s when ORNL security pulled the plug on the Internet. As of yesterday, limited email has been restored for ORNL workers, but the investigation is ongoing. Given that cybersecurity is one of ORNL’s research foci, the attack could be construed as ironic. Or it could be construed as a security success, given that very little data actually made it off the ORNL servers before the breach was detected and the plug pulled.

Still, someone--and investigators, at least publicly, say they have no idea who--got inside. Considering ORNL also researches nuclear technology and dabbles in other classified areas alongside its better-known unclassified work, that’s more than a little worrisome.

[Threat Level]

We already knew Stuxnet was unprecedented, but it’s what is unknown about it that makes it so unsettling. The code can enter systems undetected, steal information or alter processes, and basically live there causing a mess of things while the system appears to security software to be working properly. But authorities don’t know where the Stuxnet worm came from, or what it was specifically designed to attack, McGurk told Senators.

That last part is debatable. While there is still a degree of uncertainty about Stuxnet’s aims, cybersecurity firm Symantec released a report Friday saying that all evidence points to Iran as the target of the worm. “Stuxnet is a threat targeting a specific industrial control system likely in Iran, such as a gas pipeline or power plant,” the report reads. “The ultimate goal of Stuxnet is to sabotage that facility by reprogramming programmable logic controllers (PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries.”

Symantec researchers were able to deduce this from the fact that Stuxnet requires specific industrial control systems from very specific vendors (one in Finalnd, the other in Tehran) to work, and more than 60 percent of infections have been reported in Iran (there have been approximately 44,000 unique infections reported; just 1,600 are in the United States). That has led to speculation that Stuxnet was designed to sabotage Tehran’s controversial uranium enrichment program.

Still, global security experts appear co closer to pinpointing a source of the attack, which is a serious threat to systems that control infrastructure like power grids and pipelines around the globe. That’s more than a little unsettling in a wired world. According to one cybersecuiry expert quoted by CNN, “we’re not only susceptible, but we’re not very well prepared.”

[CNN, Symantec]

The system works by observing programs as they normally run and memorizing those ranges of behavior. During an attack, the system simply locks the programs within those behavioral ranges; that is, if a program usually stores data at either location X or location Y, those are the only two places it will be allowed to store data once the security system detects that an attack is underway.

If a malicious program tries to trick the program into storing info at location Z, the security system won't let the program deviate from its usual behavior. But it does keep the program up and running even as the attack unfolds.

The tactic is something like a strike/counter-strike battle plan, and as such there are casualties. For instance, once a program is limited to locations X and Y it may begin to store data there that doesn't belong, which in turn could cause a server crash. But the security system learns as it goes, narrowing the space that the malicious program has to maneuver while figuring out what countermeasures are most effective. So a site that has dozens of servers will lose a few during the opening salvo of the attack, but in doing so the security system learns the enemy's M.O. and engineers a fix for the remaining servers, sometimes in a matter of seconds.

Funded by DARPA, the MIT initiative has twice hired outside security firms to attack the system. Both times a few programs went down within the system, but overall it performed above and beyond the benchmarks set by DARPA and MIT. In the second test, it kept nine of every 10 programs running for the duration of the attack. Viewed through the complex fog of cyberwar, a 90% success rate is nothing to scoff at.

[MIT News]

Panda Security has announced the launch of a new product Panda Antivirus for Netbooks. It is ultra-light security solution designed specifically for low-power netbooks and mini-notebooks. This product is easy to install, consumes very little system resources and has been tested on the most common configurations netbooks. Panda Antivirus for Netbooks contains all the necessary modules of protection:

1. PC Optimization for the detection and destruction of various threats (viruses, worms, Trojans, spyware, etc.).
2. Protects instant messengers (MSN, Yahoo Messenger, etc.).
3. Enhanced proactive protection against new threats.
4. Personal firewall for protection against hackers.
5. WiFi-screen that protects your wireless network from intruders.
6. Anti-phishing filter to protect against online fraud.
7. Protection from Trojans for safe work with banks and online stores.

Panda Antivirus for Netbooks contains proven technology USB-vaccination, which can block the spread of malware from USB-devices. In addition this product includes a new heuristic engine in combination with genetic signatures which working together with scanning technology from the cloud of Collective Intelligence offer a high level of protection against new malware and Trojan horses, carrying the theft of personal information.

For convenience Panda Antivirus for Netbooks released not in the traditional boxed product but as a DVD-box inside which there is a USB flash drive which is due to the lack of staffing netbooks CD / DVD-drive. After installing an antivirus on your netbook users can use flash drive to store all their information.