It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
View full size image
A new strain of super malware infected more than 4.5 million PCs in the first three months of 2011, and shows no signs of slowing down.
The malware, a rootkit variously called TDSS, TDL or Alureon, has been active since 2006, continually evolving and growing more powerful. Due to its devious and damaging capabilities, it is nearly impossible to detect and has been called "indestructible" by researchers at the security firm Kaspersky Lab.
Once it worms its way into users' systems by bypassing authentication protocols, TDL-4 opens a "back door" to cybercriminals, making it possible for them to load keystroke loggers, adware and a host of other malicious programs onto the infected computers.
TDL-4 allows attackers to remotely take over infected systems, manipulate search engines and act as "a launch pad for other malware," Kaspersky Lab wrote.
Like other rootkits, TDL-4 inserts itself into the kernel, the main program at the heart of a computer's operating system, making it extremely difficult to detect or remove.
Microsoft shielded Windows 7 against rootkits by demanding that all new software show digital certificates signed by trusted sources before installation.
But TDL-4 has gotten around this obstacle. It now infects the master boot record of a PC, the section of the hard drive that the computer reads when starting up, and alters Windows 7 upon loading to permit unauthorized software installations. TDL-4 is present before the computer is even up and running.
Originally posted by HomerinNC
my laptop was infected with this, used a tdss killer and everything, no use, had to reboot the entire system
Quote from article
Often hidden on adult content and bootleg websites
posted by schwit1 (797399) on Wednesday June 29, @08:43PM (#36617822) on slashdot.org
download.bitdefender.com... [bitdefender.com]
devbuilds.kaspersky-labs.com... [kaspersky-labs.com]
Both of these update from the internet after booting up.
posted by Anonymous Coward on Wednesday June 29, @09:16PM (#36618034) on slashdot.org
I work at a computer repair shop.
We frequently encounter computers that are kitted up with boot and rootkits, TDL-4 included. Kaspersky's TDSS killer does a pretty good job of removing this stuff, and it's pretty easy to tell if the MBR as been modified. Just fire up a copy of GMER and you'll be able to tell pretty quickly. I see a lot of people posting stuff about having to wipe drives and start over from scratch. That is simply not necessary. The only reason TDL-4 is such a pain in the ass is because it is decentralized, only communicates with a handful of its infected counterparts at a time and modifies the MBR. Even then, it's not impossible to detect or even remove. Just gotta use the right tools...
posted by Zaphod-AVA (471116) on Wednesday June 29, @09:47PM (#36618244) on slashdot.org
When they say indestructible, they mean it's more difficult to steal control of the botnet, like they have done with several other hostile networked threats, not that it can't be detected and removed.
To detect it, run the latest version of GMER.
www.gmer.net...
To remove it, you need to run a series of three scanners in this order:
TDSSkiller
support.kaspersky.com...
Combofix
www.bleepingcomputer.com...
and Malwarebytes' Antimalware
download.cnet.com...
Note that TDL4 is often a blended threat, and has other secondary infections that can cause issues. One of the most common does search redirection that can make it hard to get to the tools to remove it. Most versions of that you can work around by clicking on the Google cache of the site with the tool instead of the link itself.
As for who to blame, most of the infections installed on people's machines were abusing exploits in Adobe Flash. Keeping up to date helps, but I started installing Flashblock on my client's systems because I was convinced there were unknown Flash exploits.