

Massive Indestructible Botnet - seanharper
http://www.computerworld.com/s/article/9218034/Massive_botnet_indestructible_say_researchers

======
Xk
> TDL-4's makers created their own encryption algorithm

Two comments about this

\-- I give it maybe a week or two against a good cryptographer. You never,
ever invent your own encryption algorithm.

\-- Even if the encryption algorithm happens to be secure against
differential/linear/slide/boomerang attacks, I bet there will be an
implementation flaw. It's really hard to get implementation right on those
things, even if you have an almost perfect algorithm.

Not that that all really matters -- anything that it's encrypted can be
decrypted since they key lives on the computer -- but the fact that they
created their own encryption algorithm gives some insight in to their minds.
Namely, that they they they are smarter than they really are, and that despite
all of that, they don't know enough about security to stick with AES.

> and the botnet uses the domain names of the C&C servers as the encryption
> keys.

... what? That kind of defeats the entire purpose of encryption when they key
is something like that. Besides, what are they using this encryption for. It
seems more likely they want a check on the integrity of messages. And even
still, a MAC is equally worthless since it's not public/private key.

Either (1) this botnet is really weak or (2) the writers of this article have
distorted the truth.

~~~
marshray
_I give it maybe a week or two against a good cryptographer. You never, ever
invent your own encryption algorithm._

Don't rule out the possibility that the botnet code was written by a good
cryptographer. It may be that they're using a well-designed algorithm that
these researchers didn't happen to recognize.

 _Even if the encryption algorithm happens to be secure against
differential/linear/slide/boomerang attacks, I bet there will be an
implementation flaw. It's really hard to get implementation right on those
things, even if you have an almost perfect algorithm._

Sometimes something that would be bad as a standard building block can hold up
in a specific use case. Maybe this thing really only needs to obfuscate the
communications.

 _Not that that all really matters -- anything that it's encrypted can be
decrypted since they key lives on the computer -- but the fact that they
created their own encryption algorithm gives some insight in to their minds.
Namely, that they they they are smarter than they really are, and that despite
all of that, they don't know enough about security to stick with AES._

I wouldn't underestimate the Russians and Eastern Europeans like that.

 _[...] Either (1) this botnet is really weak or (2) the writers of this
article have distorted the truth._

Probably both, at least (2).

It's really really hard to write technically accurate descriptions of these
things that are also accessible to a wide enough audience that you reach the
people you need to reach.

~~~
tptacek
Has any botnet ever been written by a good cryptographer? I remember Vern
Paxson getting a whole paper out of supposedly-skillful botnet authors not
even being able to generate random numbers securely.

~~~
marshray
Undoubtedly there has been, the question is whether or not it's been released
from the lab.

I don't know about its cryptography specifically, but Stuxnet, for example, is
a botnet regarded as a game-changer precisely because it was such a
professional hit.

BTW, I'm trying to see if there's any interest in a collaboration on the
cryptanalysis of this custom encryption system. Anyone with an interest please
ping me. It may turn out to be nothing.

~~~
Xk
(1) You should put your email in your "about" section so the rest of us can
see it.

(2) Do you have the source of it? Do you have a non-obfuscated version?

(3) Even if the answer to both questions in (2) is "yes", I still doubt any
serious cryptographers would take a look at it. They (mostly) do things to
write papers, and you don't get a paper out of "we broke a really weak
encryption algorithm in a botnet". The chances that the paper is instead "this
botnet has a reasonable encryption algorithm" are so slim, they won't consider
it.

(4) That said, there are a number of non-serious cryptographers who would find
it an interesting challenge, but if they can't break it, it still doesn't mean
it's any good.

~~~
marshray
(1) done.

(2) No, I haven't heard of anyone getting the source. There are 4.5M PCs with
an obfuscated binary, so that should be obtainable. We can de-obfuscate it
ourselves (it obviously has to load into memory at some point), or we can also
ask other researchers who have already done this. The latter is likely to be
successful according to 'who' and 'how serious' we have interested.

(3) You never know and it never hurts to ask. Don't forget, they also often
have students looking for projects. Anti-botnet ops is an active research
topic in data security.

(4) Yep. I doubt anyone would consider using it for anything else.

------
JonnieCache
Anyone got a link to a source with some info that isn't aimed at someone with
the technical expertise of the average pensioner? There was no information in
this article.

Who _are_ these people that read the front pages of both Hacker News and
computerworld.com?

EDIT: This is more like it:
<http://www.securelist.com/en/analysis/204792157/TDSS_TDL_4>

EDIT2: That link was just an initial analysis of the infection vectors, here's
a more full analysis of the payload and suchlike
<http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot>

~~~
sc00ter
Amongst others no doubt:
[http://www.symantec.com/security_response/writeup.jsp?docid=...](http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99&tabid=2)

------
fragsworth
In my opinion, a very poorly written article, but here are some of the main
points:

1\. estimated 4.5 million infected machines

2\. it infects the Master Boot Record

3\. it uses the Kad Network (<http://en.wikipedia.org/wiki/Kad_network>) to
issue commands to the clients (No idea how, the article did not explain this)

4\. it disables competing malicious software

5\. it acts as a malicious software manager; they install software for their
"customers" to temporarily use

------
Vivtek
So at what point does a botnet cease to be a parasite and start to be a
symbiote?

If TDL-4 keeps your machine free of other malware at the cost of engaging in
the occasional DDoS....

Actually, wouldn't TDL-4's owners possibly earn _more_ money by doing remote
management and tuning of 4.5 million PCs than they could by selling malware
connectivity?

------
zitterbewegung
Indestructable isn't the right word to describe this. More like very resilant
or resistant. Title is very linkbait and the reporting looks like its based
off of phrases by security researchers.

------
hook
So that's how some videos on youtube have millions of hits before anyone has
heard of them...

------
saalweachter
Is it just me, or does this article read like a sales brochure for TDL-4?

------
kaze
Wouldn't it help to have a read-only bootup DVD to scan the MBR?

~~~
maqr
Yeah, I use UBCD4WIN when I need to remove these kind of infections. You
simply rebuild the MBR whether it needs it or not.

------
Joakal
Not even a software firewall can pick up connections? I always look to
firewalls for abnormal activity.

~~~
nl
_I always look to firewalls for abnormal activity_

I suspect you aren't the type of person who gets infected by a botnet.

------
noglorp
Fancy cryptography, p2p networking, with web-based command and control:
indestructible 'new' type of botnet, or practically identical to Zues? You
decide!

------
extension
_TDL-4's makers use the botnet to plant additional malware on PCs_

Whoa, it's the evil app store!

Could this be used to take the botnet down? Pay them to install something and
sneak in an antidote?

~~~
marshray
Like another botnet! :-) Sometimes botnets actually will clean and patch their
target machines.

------
leon_
good old fdisk /fixmbr ;)

~~~
JonnieCache
Ahhh... memories. Back when trying to dual-boot linux had about 20% chance of
not fucking your whole shit up up.

Although that may have been down to my relative inexperience at the time.

EDIT: I have more memories of using the plain ol 'fixmbr' command that you ran
from that weird 'recovery console' shell on the windows install CD. Didn't
realise fdisk had a /fixmbr switch. Guess it does the same thing.

------
gorgoroth666
security ? who cares ?

------
bromagosa
Why is anybody on Earth still using Windows?

~~~
Fargren
-The name inspires a lot of trust to a layperson

-There's a lot of software with no equivalent in other OSs (including computer games, which are a selling point for a lot of people, and Visual Studio)

-Many companies are reluctant to change software they've been using for any length of time. Changing the OS is specially unlikely.

-It's really not that bad an OS...

------
koko775
Next thing you know it'll be asking to be uploaded onto a mining colony on
some asteroid!

~~~
koko775
Seriously? Nobody's read Accelerando? :(

