'Indestructible' Malware Strain Infects Millions of PCs

Here we go folx! It's come down to this.... No computers are safe now. No virus scanner can stop this juggernaut! Dont worry about anonomous or the lulz boat taking over your pc. This badboy will infect you, and open a door wide, for any keyloggers to take over at any time. No information is safe, neither are your bank card info, passwords, email, whatever it may be.

Could this be something akin to a wikileaks plot, where any and all information can be taken from anyone and everyone and plastered all over the net? Could this be big government sneaking around your files? Or could this be just a simple prank made by one smart cookie to steal and possible sell your information?

Source

View full size image
A new strain of super malware infected more than 4.5 million PCs in the first three months of 2011, and shows no signs of slowing down.

The malware, a rootkit variously called TDSS, TDL or Alureon, has been active since 2006, continually evolving and growing more powerful. Due to its devious and damaging capabilities, it is nearly impossible to detect and has been called "indestructible" by researchers at the security firm Kaspersky Lab.

Once it worms its way into users' systems by bypassing authentication protocols, TDL-4 opens a "back door" to cybercriminals, making it possible for them to load keystroke loggers, adware and a host of other malicious programs onto the infected computers.

TDL-4 allows attackers to remotely take over infected systems, manipulate search engines and act as "a launch pad for other malware," Kaspersky Lab wrote.

Like other rootkits, TDL-4 inserts itself into the kernel, the main program at the heart of a computer's operating system, making it extremely difficult to detect or remove.

Microsoft shielded Windows 7 against rootkits by demanding that all new software show digital certificates signed by trusted sources before installation.

But TDL-4 has gotten around this obstacle. It now infects the master boot record of a PC, the section of the hard drive that the computer reads when starting up, and alters Windows 7 upon loading to permit unauthorized software installations. TDL-4 is present before the computer is even up and running.

This thing is very scary folx. That'll make everyone think twice while visiting a porn site. But then... It's not exclusive to just porn sites. Good luck! As far as we all know, we're probably infected right now and dont even know it. I will be sticking to my phone from now on!

my laptop was infected with this, used a tdss killer and everything, no use, had to reboot the entire system

Meh...

Anyone who doesn't wipe or arrange to have their computer wiped every three to four months has their head in the sand. In fact, that is what I am doing this weekend and into the 4th. All the family's laptops and the desktop will be squeaky clean and as 'secure' as it is possible to get networked computers.

just be careful what you download and where you click

boot under dos and type:

fdisk /mbr

malware gone.

reply to post by ophis


Hope you are available to answer all the 'What's DOS, and how do I get under it?" posts!

Originally posted by HomerinNC
my laptop was infected with this, used a tdss killer and everything, no use, had to reboot the entire system

Quote from article

Often hidden on adult content and bootleg websites

Anybody that's been on the internets for longer than 5 minutes ought to know what sites and activities are safe from crap like this. They need to start licensing people and make them take classes before they are allowed online... Before they screw it up for everyone.

If you have important data on your PC, use Linux!
I'm so sick of reformatting my hard disc every time when new garbage is spread around the internet.
If your only worry is porn, then Windows is good enough.

Was reading the other day on slashdot.org and this topic was discussed. I made a text file of all the suggestions there in case I every got hit. This is what I gleaned.

posted by schwit1 (797399) on Wednesday June 29, @08:43PM (#36617822) on slashdot.org

download.bitdefender.com... [bitdefender.com]
devbuilds.kaspersky-labs.com... [kaspersky-labs.com]

Both of these update from the internet after booting up.

posted by Anonymous Coward on Wednesday June 29, @09:16PM (#36618034) on slashdot.org

I work at a computer repair shop.

We frequently encounter computers that are kitted up with boot and rootkits, TDL-4 included. Kaspersky's TDSS killer does a pretty good job of removing this stuff, and it's pretty easy to tell if the MBR as been modified. Just fire up a copy of GMER and you'll be able to tell pretty quickly. I see a lot of people posting stuff about having to wipe drives and start over from scratch. That is simply not necessary. The only reason TDL-4 is such a pain in the ass is because it is decentralized, only communicates with a handful of its infected counterparts at a time and modifies the MBR. Even then, it's not impossible to detect or even remove. Just gotta use the right tools...

posted by Zaphod-AVA (471116) on Wednesday June 29, @09:47PM (#36618244) on slashdot.org

When they say indestructible, they mean it's more difficult to steal control of the botnet, like they have done with several other hostile networked threats, not that it can't be detected and removed.

To detect it, run the latest version of GMER.
www.gmer.net...

To remove it, you need to run a series of three scanners in this order:
TDSSkiller
support.kaspersky.com...

Combofix
www.bleepingcomputer.com...

and Malwarebytes' Antimalware
download.cnet.com...

Note that TDL4 is often a blended threat, and has other secondary infections that can cause issues. One of the most common does search redirection that can make it hard to get to the tools to remove it. Most versions of that you can work around by clicking on the Google cache of the site with the tool instead of the link itself.

As for who to blame, most of the infections installed on people's machines were abusing exploits in Adobe Flash. Keeping up to date helps, but I started installing Flashblock on my client's systems because I was convinced there were unknown Flash exploits.

The whole story (Warning, the guys at slashdot are not all angels)
Slashdot - Massive Botnet "Indestructible," Say Researchers

reply to post by Montana


DOS is operational system just like unix.

Windows XP is a "Theme" for DOS... (simply speeking)

either way you have to run computer before windows loads...

dowload free version of dos:
www.freedos.org...

burn cd. start computer from CD.

type
fdisk /mbr
restart pc.

this will clear/reset Master Boot Record of your hard drive.(this malware is sitting over there)
this operation will NOT delete any files on your hdd.

If you have any bootloaders they will be deleted so you have to reinstall them
(if you can choose multiple systems at computer boot then it means u have boot loader, if u have just one system then you dont have to worry about that)

reply to post by Count Chocula


I dont look at adult sites, it attacked my computer when I downloaded a mod for world of warcraft
why would i wanna look at nekkid chicks when i cant touch em?

Everyone... Thanks for the many replies and helpful information to prevent and remedy these ongoing problems. I'm sure someone will find the tools, info and links very helpful.

did a scan with hitmanpro since its one of the programs that can deal with it and it was clean

thx for the warning anyway.

reply to post by Montana


completely agree.
Viruses, malware all that crap is just common place now a days.
If I cant get my Pc back up to a standard with hijack this, the regedit and some basic safemode tweaking ill recreate my partition and set'er up again.

Always good with a few dvd's and beers.. and a ffilps on the side.

Unfortunately I dont own a PC anymore!