All the latest UK technology news, reviews and analysis
|
|
|
01 Jul 2011
Fears over a recent malware outbreak described by one firm as "practically indestructible" have been quelled by other security analysts who noted there is a simple method to stop it spreading.
Dubbed TDL4, the malware was the subject of a recent report from Kaspersky Lab which characterised the malware as "the most sophisticated threat today".
A variant of TDSS, a malware platform which has been known to the security world for several years, the TDL4 sample is renowned for being more difficult to detect than other systems.
The malware uses an attack technique known as a rootkit to infect a machine's boot sector early in the startup process, and so avoid detection from some security tools.
Kaspersky noted the TD4 variant uses encrypted communications systems to connect infected systems to the botnet's command and control centre along with a peer-to-peer communications model. This allows it to infect machines without the need for a central server.
The techniques have created what Kaspersky researchers see as a botnet which may be impossible to eradicate.
"TDSS and the botnet that unites all the computers it infects will continue to cause problems for users and IT security professionals alike," the company said.
"The decentralised, server-less botnet is practically indestructible."
Despite the sophistication of the botnet, however, fears of an unstoppable TDL4 malware outbreak appear to be misguided.
Security vendor Trend Micro has long followed the TDSS malware family and the company has been studying TDL4 in recent weeks.
Threat research manager Jamz Yaneza likened the early worries over the TDL4 outbreak to the 2010 Conficker malware scare.
He told V3.co.uk that while the malware botnet itself can be difficult to detect and remove, such rootkit infections can in fact be neutralised by Microsoft's own system tools.
Yaneza explained that by using repair tools found on the Windows system restore disk, users can repair the boot sectors targeted by the attack.
He said that while some code from the infection will be left behind, the remnants would be harmless and are typical to what is often found when a rootkit infection is neutralised.
"Certainly a rebuilt system would aspire more confidence. However, if the affected systems require critical up-time and no back-up systems are in place, then doing so takes much productivity from the user," he said.
"For those that decide to keep on going, the advice is to do routine checks and steps to ensure integrity of these systems."
While the company has yet to fully test the fix on all systems, Yaneza said the technique has proven effective for removing infections on Windows XP systems.
Latest stories from Security
Related articles
Related jobs
Poll
Are you confident that the UK's IT infrastructure is secure from attack in the wake of the Flame malware revelations?
V3 examines the key strengths and weaknesses of Samsung's latest iPhone killer
Connect with V3.co.uk
Social networking is almost ubiquitous. This white paper examines the benefits and risks and it looks at the different ways companies can reconcile them
The importance of understanding your infrastructure
Ihre Aufgaben Sie sind zuständig für die Beratung...
***MS Visual Basic Programmierer mit Oracle DB-Erfahrung...
IT Business Analyst Location: London, but...
Senior Software Developer Company overview...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Trend's Techs are way off . . .
Endusers do not implement reform and spend IT dollars when there are no visible problems. Their suggestion is to roll back the OS to an earlier restore point, or perform a full wipe and reinstall. Would anyone care to calculate the economic impact on having to do this for 10 million+ computers? And then what do you have? A system still without protection that can easily be reinfected. The "sleeper" quality of this virus is its most damaging aspect. Its payload ability to neutralize competing malware will actually lull the user to think that his PC is running "quite well." Without symptoms, most consumer and many corporate users will not be able to identify the remote "time bomb" capabilities of TDL-4. The level of sophistication here is substantial. Its use of psychological misdirection, coupled with its peer-to-peer C & C attributes makes this a formidable weapon that can sit silently until its owner chooses to change the payload. Think of the implications should a foreign government choose to deploy this in support of a political objective. For example: The morning that the PRC decides to follow its constitutional mandates and forcefully annex Taiwan. This is likely another arrow in the quiver available to the MSS.
Posted by: R. R. Richmond 07 Jul 2011
Uh, no it's not............
..........unless you're suggesting Kaspersky themselves are hosting and distributing ths malware ?????
Posted by: MJW 04 Jul 2011
Easy way to detect and remove
Try doing a search in google for "tdsskiller" - it comes up with a link to kaspersky's own tool to both detect and remove it ... easy as pie. I think a lot of the scaremongering around this issue is coming from the fact that such a high number of infections have happened in a short time (3 months) ... e.g. in england alone its estimated that 1.3% of all PCs have been infected ... http://www.internetsecuritydb.com/2011/06/tdl-4-botnet-statistics.html
Posted by: Damian 01 Jul 2011
I think you'll find...
...that's a rootkit.
Posted by: Borodin 01 Jul 2011