ESET Threat Blog
David Harley

Urban Myth in the Making

by David Harley Senior Research Fellow
August 7, 2011 at 12:11 pm

I picked up a post today at bleepingcomputer.com about the “botnet 4.0 undetectable virus“, Well, you can probably guess what I think about the idea of an undetectable virus, and if not (and you actually care what I think about anything!) you can check out my blog Undetectable Virus Plays a Cool Hand.

(Clue: the Chainmailcheck blog specializes in hoaxes (intentional and unintentional), semi-hoaxes, scams, spams and uncle Tom Cobblers and all.)

In this case, the name of the virus suggests a possible misunderstanding related to the TDL4 botnet. I already wish I'd never seen any references to indestructible botnets, and I suspect I'm going to get even more tired of it now.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

.

This entry was posted on Sunday, August 7th, 2011 at 12:11 pm and is filed under Botnet, Chainmailcheck, David Harley, hoax, TDL4, TDSS. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

6 Responses to “Urban Myth in the Making”

  1. jim02 Says:
    August 7th, 2011 at 1:17 pm

    From "indestructibel botnet" to "undetectable virus." I blame Golovanov and Stewart, along with the media, which has twisted something rediculous into something even worse.
    While you're on the subject of TDL, I don't suppose you have a picture of what the data in an infected MBR looks like? Are there any telltale strings added or removed from the original MBR, or anything similar that could give the bootkit away just by a visual inspection? Just curious.

  2. David Harley Says:
    August 8th, 2011 at 2:11 am

    We’re not sure what you mean by “visual inspection”. If you mean by not using any dedicated tools then it’s not possible to remove the bootkit that way, since TDL conceals the infected MBR and prevents it from being overwritten.

  3. jim02 Says:
    August 8th, 2011 at 1:34 pm

    No, I'm sure removal is more difficult than that, I just wondered if it was possible to use a tool like Dimio's "HDHacker" on windows, or "sudo cat /dev/sdaX" on Linux, (or any hex editor with raw disk access to the boot sector) and examine the contents of the MBR for certain bits or strings that TDL puts in the MBR, that wouldn't normally be there. I'd show you a screenshot of what I mean, but I'm not allowed to post links. :)
    How does it conceal the MBR? Isn't the MBR always in sector 0? I glanced through the whitepaper, but maybe I need to read it a little more…

  4. David Harley Says:
    August 9th, 2011 at 1:57 am

    You can, in principle, use specialist tools to examine the boot sector to look for strings in the same way that first generation AV did, but early boot sector viruses were much more simplistic and consistent between samples than TDL: and that approach would not be effective for detection across a range of samples and variants. Concealment is less a matter of moving the MBR than of misdirecting utilities so that they don’t see what they “think” they’re seeing. In fact, many early BSVs did the same thing, though with different mechanisms. The kind of hooks and patches that rootkits use are analogous forms of misdirection.

  5. jim02 Says:
    August 9th, 2011 at 6:29 am

    Ok, that makes sense. I was just looking for an easy way out. :)

  6. David Harley Says:
    August 9th, 2011 at 6:30 am

    :-D

Leave a Reply

Share |
Subscribe by Email
To receive new posts automatically through email, enter your email address:

Delivered by FeedBurner

Blog Search
Categories
Authors
Tags
Adobe autorun Botnet Conficker Cybercrime Facebook google Malware Microsoft patch Phishing privacy SC Magazine Security Social Engineering Spam Stuxnet The Register Twitter Virus Bulletin
Archives

Switch to our mobile site