Kaspersky warns internet users about TDSS rootkit malware

http://www.infosecurity-magazine.com/view/11622/kaspersky-warns-internet-users-about-tdss-rootkit-malware-/

10 August 2010
Kaspersky Lab is warning users to check their PCs for the presence of the TDSS rootkit, a nasty piece of code – now in its third iteration – that allows complete, but hidden, 'zombie' control of the host PC.

As reported by fellow IT security vendor Prevx late last year, TDDS-3 comes from a 'dropper' that is spread by peer-to-peer networks or by crack and keygen websites.

Infosecurity notes that the rootkit needs administrator privileges to drop its payload, meaning that if the user normally employs a 'user' account on their PC, they may be safe.

Kaspersky reports that TDDS can now hide its presence and that of other malware on an infected system.

more at link above

Should I be using another named account with no privileges as my surf board?

I flip the power switch when I'm not using it.

No, not the power switch on the PC, the switch on the power source. :)

If I'm not using it, nobody is.

ahem USING IT.

The only thing that will 100% prevent this is for you to be OFF LINE at all times, and NOT load any software you don't know off.

I can shut it down and restore from backup.

The real danger is if somebody can power up my machine when I'm not on it.

Anything that it don't like it shuts the process down... and tells you it is infected.

Trust me, I spent five hours yesterday trying a few tricks. It is going to the specialists. I fear an industrial magnet and full OS re-instal is in the future of that machine.

how often do you back up your system?

this will require a magnet I suspect.

My backups are burned to DVD. I can go back to images on hardware I don't even own anymore.

Format C. Stops in the middle, jumps across, continues to format, it is still there.

This is how nasty this is.

I tried a fresh format and OS install. This will require a magnet. I suspect it is the exact same family.

I'm just saying I'm not in the same bind.

Because I have system backups going back several years, on DVDs, impervious to magnets.

Good luck!

:hi:

even if you had the image going back ten years it will still be there. It is not at the OS level, the way a white hat explained this to us.

The place I am taking it to ... has magnet though.

Really?

format C: Jumps across to the newly formated file. Look a white hat my husband knows caged that variation years ago... it was cute, to him. And it was HE who recommended the magnet. Back then WE HAD access to an industrial magnet... these days not so much. The way it is behaving it reminds me of that... and I would not be shocked if this is a variety of that bug.

will ask them to cage this little beaut, to be sent to the DA... but as I said, all the formating will do nothing in this case. It will need either a magnet or a new drive. This is how malicious this is. I wish it were different by the way.

Oh and it is NOT fryes or any like that, but a LOCAL bidness.

if it does this.

if they can't, yes, then new HD

It doesn't matter if you attempt to format it after that, the computer won't even recognize it. Degaussing is used for when you have a large amount of data you don't want getting out, and you don't want to go through the process of doing a low level format on all the drives.

and that was suggested by a WHITE HAT. One of the top ones in the field.

http://en.wikipedia.org/wiki/Degaussing#Degaussing_magnetic_data_storage_media


"For certain forms of computer data storage, however, such as modern hard drives and some tape backup drives, degaussing renders the magnetic media completely unusable and damages the storage system."

You DON'T use magnets to resolve software issues. If you need to completely eliminate data on a drive, you do a low level format. Viruses simply don't survive low level formats, it's really silly and fear mongering to suggest that they do.

When doing a basic format, the only data that is lost is the file allocation table, and it's wiped completely. There's no way that a virus could effect a format so that all of the file allocation table is wiped with the exception of a file or two. If you have information to the contrary, I'm very interested in seeing it.

:tinfoilhat:

'puter is going tomorrow to specialist. Yep, got sick... damn thing will not do anything but GO TO THEIR FUCKING SITE.

CUTE.

NOT.

I am going to ask them to cage that little bugger... it is illegal you know... I will try to find a Cyber Security DA willing to take it.

and refused to run anything... I am taking it tomorrow to experts.

Thanks though I hope this works for other folks.

(Yes went so far as to ... consider format C)

Now the nettie, so far, seems safe.

Downloaded from C-Net site. Problem gone in minutes after a day of messing with the problem.

and that your current one is not infected? I just screened using the kaspersky tool and was ok, but I use combination packages on my machines--not that that will prevent everything, but I do think it is synergistic. I use the full PCTOOLS Spyware doctor package (firewall, anti-spam, anti-virus, with "immunizers" and the full AVG Internet security package and I use firefox with anti-script blockers.

Redundancy seems to be good... I (knock on wood) have not gotten anything in more than two years of doing this.

the other one is by the door, to be loaded tonight to truck and taken tomorrow to the doctor

ACHHOOOOO

It is sick.

We had a nasty one, that somebody sent us, oh over fifteen years ago... that required a magnet. I know my limits.

On edit, the thumbdrive I used to try to re-instal anti virus yesterday is going to the trash.

Get a linux/etc bootable CD and use that for removal. Quick, easy, and can save a lot of headaches.

that will not help.

The problem you are having with format is that the formatter itself has been compromised. If you turn the computer off and cold boot from a USB drive, or boot at all from a CD, then use a known good formatter to format the drive, it WILL kill the virus. Every single time.

The problem is that the modern malware compromises all the tools you might use to find and remove it, so if you just try to use that computer's tools to fix it it won't work. You have to boot cold from a known good image. And if you don't have one of those, then yeah, you need to find an expert who does.

But he won't need a magnet.

Unless the issue is that I dropped a screw in the case and my fingers are too stubby to retrieve it.

I had to replace all the drivers to remove it about 3 or 4 months ago. The Kaspersky supplied tool would find it but couldn't remove it.

Here I am, a sysadmin, with my finely-honed skills atrophying because I never get malware.

I demand equal attacks!

I'm so pissed I never get to format and reinstall, or take my computer to the "experts," or any of those other fun things :(

After paying so much for Ubuntu, I should be able to do anything a Windows user can do!

Totally puzzles me.

I admit, I'm lazy. Windows is just easier for me to use. Linux and its many distros is a great operating system.

A common reason I hear is that they depend on software packages that don't exist for Linx, but I guess it's really just laziness because it desn't take much research to learn about VM solutions like VirtualBox.

and sorry... not worth the time or effort for a gaming rig.

I left the Windows that came with my computer; shrunk the partition and installed Fedora. Windows is for games and nothing else.

I am confused and readying comprehension challenged I think.

Once again, that is a dedicated GAMING rig.

I'll admit though if all those games hubby loves were ported to the MAC\ OS X environment... we would switch like yesterday.

that machine is used 99% as a gaming rig... why it is not worth my time to put Fedora on it. or Ubuntu.

The other 1% it is just a dumb print terminal for my documents.

The Nettie, I didn't feel like putting linux on a dumb, very much glorified, word processor.

:-)

Though I took the thumb drive I tried to use to fix that machine straight to the trash. I am assuming it is radioactive.

:-) I can't tell you how much hardware I've recovered using linux. Totally foolproof, completely safe.

Don't apologize...but if you want to play games, why not use a machine designed for games (ie a gaming console)?

Or dual boot into Win for games, but only use the internet in Linux. It's really not that hard...people are just too lazy to take 2 hours to figure it out.

that is my husband. We considered that. The universe for a console is sixteen players. The universe for his games is whatever the limit is.

And that machine IS a dedicated gaming rig... that is what it is USED FOR.

Is this so hard to comprehend? Hubby uses it for GAMING... and mostly NOTHING else. THAT HARD?

For about 1% OTHER uses, it is not worth my time.

Kicking for the real late nighters :)

Spybot and Ad aware and Macafee (all with latest possible updates) all found nothing.

Downloaded another program that was supposed to be for rootkit malware that did nothing.

A program called Hitman zapped it right away.

(Shareware but fully functional during trial period)

A lot of those programs say they wiped it out, but then they reappear on the next reboot.

I have those 3 programs, plus MS Security Essentials. I have a nasty registry trojan on my desktop and all of them say they found it and took care of it and then it comes back on the next reboot.

I don't know if it is related to this virus, but it's a Trojan that supposedly is in the registry. It does annoying things like makes the McAfee insist it's not up to date even when it's reinstalled. It slows the computer down to a crawl. I'm trying to remember what the name of it actually is, but I hardly ever use the desktop I've gotten so fed up.

Yep, it is a widespread system infection.

Now here is one thing they can do (they got the tools I don't) is to actually preserve data and properly disinfect data.

UPDATE all your virus definitions... and for the moment, if you are not using it, turn it off... and disconnect from the web. This thing IS nasty. Me, after it comes home... well see advise above.

I've cleaned my system before... worked with them before. But this one is like nothing I have seen in recent years.

I'm sure that "nobody's could've predicted" that "verifying authenticity" and shipping sensitive data to third-parties with no accountability, located in country's that are barely less hostile than our enemies, and that for practical purposes have no law beyond the authority of "we say so", might lead to some sort of problem.

Americans really need to get a much better grip on what computers are and what they do.

http://www.esecurityplanet.com/article.php/3897476/Top-Ten-Web-Malware-Threats.htm

Top Ten Web Malware Threats

August 9, 2010
By Lisa Phifer

Websites that spread malware may be leveling off, but Web-borne malware encounters are still growing. According to a 2Q10 Global Threat Report published by Cisco, criminals are using search engine optimization and social engineering to become more efficient, luring more targeted victims to fewer URLs.

Using IronPort SenderBase, Cisco estimated that search engine queries lead to 74 percent of Web malware encounters in 1Q10. Fortunately, two-thirds of those encounters either did not deliver exploit code or were blocked. But that means 35 percent of Web-borne exploits are still reaching browsers, where they try to drop files, steal information, propagate themselves, or await further instructions.

Browser phishing filters, anti-malware engines, and up-to-date patches can play a huge role in defeating malware reaching the desktop. However, to find unguarded vectors and unpatched vulnerabilities, let's look at how today's most prevalent Web malware works.

#10: Last on Cisco's list of 2Q10 encounters is Backdoor.TDSSConf.A. This Trojan belongs to the TDSS family of kernel-mode rootkits, TDSS files are dropped by another Trojan (see Alureon, below). Once installed, TDSS conceals associated files and keys and disables anti-virus programs by using rootkit tactics. Removing TDSS from a PC is difficult; using up-to-date anti-malware to block the file drop is a better bet.

more at link above

I'm going to try the Kapersky tool, which supposedly works.....otherwise it will have to be a clean install.

It boggles my mind that for the amount of money people pay for Norton, McAfee, Windows, etc......there is no one security tool that protects you from everything and many of the free ones clean up the shit that's the most prevelant.