InfoSec News


First of all, don't get me wrong, this is not a media FUD to scary you because of the recent coverage on the MBR rootkits. :)
As many of our readers probably know, earlier this week there was a report from the AV vendor Kaspersky about approximately 4.5 million computers infected with the rootkit called TDL4 (aka TDSS/Alureon).
TDL4 is a rootkit that infects the computer 's MBR (Master Boot Record). The TDSS family is being around since about 2008. At the time, it was quite interesting because we didn't have many mbr virus since 10, 13 years ago, when back in the time, it was quite common. (Remember those virus creation kits?):)
The MBRcontains the first code that will be loaded during the boot, so infecting the MBR by replacing it will give an enormous advantage for the virus, since it will be loaded before anything else, including the Anti-Virus.
The 4.5 millions infected computer should not be a surprise because rootkits usually breaks a detection cycle.
The usual cycle can be described as:
1- user sees suspicious activity on his computer, like a new running process for example.
2- user sends file to AVvendor
3- AVvendor creates detection
Now the problem is, how can the user send something to his AV vendor since he can't see anything?
Bootkits like this have been always a headache for AV vendors for this reason.
I am not alone on this. Also this week, Microsoft released a blog which describes another Bootkit, which it *detects* as Trojan:Win32/Popureb.E. Note that Imention detects only, which does not include *Cleaning* .
Kaspersky free tool, called TDSSKiller (version 2.5.8.0 ) is one of the few around that can effectively detects if a computer is infected with this rootkit, which it calls: Rootkit.Win32.BackBoot.gen.
The problem with this new bootkit is that it forges the cleaning part. For example, when the security product tries a Write method, the trojan will change to Read. This will make the security product believe that the cleaning was successful while it was not.
Please note that this deceptive technique is not new. One TDSS variant, that infects sys file will perform in similar way, when you try to get the infected sys file, it will intercept and give to you the clean one, then make you believe that all is ok, since you got a clean file back.
Regarding MS's Popureb, the current recommendation is to fix the MBR and rebuild the machine.
There are no clean indicators of the infection on the machine, since the file dropped by the bootkit, (currently) called hello_tt.sys will not be accessible .
On some of my tests, I found the GMER's MBR tool is not effective against it, but the new TDSSKiller was being successful on detection and cleaning.
The next chapters on this fight will be interesting...
___________________________________
Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apple has released a "gold master" build of OS X 'Lion' to developers, providing a clue that it will ship the new operating system shortly.
 
The obvious comparison for Dell's new XPS 15z (the first in a line of z-series XPS systems) isn't another Windows-based PC, it's a 15-inch MacBook Pro. In fact, the overall look and feel of the system are close enough to those of Apple's iconic laptop that you might confuse the two at a glance. The new XPS 15z doesn't quite match the MacBook Pro's level of polish and sophistication, but it costs substantially less.
 
Free RPG Dungeon Crawl Stone Soup is one of a class of games known as roguelikes, after Rogue, the first such game. The ancient legacy is apparent. Although this open-source game has a graphics mode, it can also be played in straight ASCII, where your character is an "@" and the monsters are various letters or symbols. The "tiled mode" provides simple 2-D graphics.
 
The revolution is here: How Google+ will free us from the tyranny of King Mark.
 
Few Honeycomb-optimized apps were available at Android 3.0 Honeycomb's launch with the Motorola Zoom tablet in February, but no matter: The expectation was that they'd follow soon after. Four months later, we're still waiting. So, what gives?
 
Internet Storm Center Infocon Status