Monday, July 18, 2011

Removing an 'indestructible' virus

Kim K:

Removing an 'indestructible' virus

7/8/2011

Q. I'm having a problem with Google searches lately. When I click on a search result, I am redirected to a random website. I am running security software, but none of my programs detects a virus. After doing some research, I think my machine is infected with the TDL-4 rootkit. How do I get rid of it?
-Roscoe from Des Moines, IA, listens to my national radio show on KWQW 98.3 FM

A. We've been hearing about the TDL-4 rootkit in the news lately. It has infected more than 4.5 million computers. About a third of these infections are in the United States.

TDL-4 has been described as "indestructible." There are a few different reasons for this. First, it is a rootkit. This type of malware is extremely difficult to detect. It can hide on a machine without the owner's knowledge. Many security programs can't detect rootkits.

Second, the TDL-4 rootkit gives the criminals total control over your machine. They can use it to launch attacks. They can install malicious programs. If the server that controls TDL-4 is shut down, it uses peer-to-peer technology to get new commands.

TDL-4 has been called the most sophisticated malware to date. Fortunately, though, it isn't really indestructible. If your machine is infected, and it sounds like it is, you can remove it from your system.

The Google redirect problem is a symptom of the Alureon virus. This is a member of the TDSS family. It was a major headache for Microsoft last year.

The TDL-3 version of Alureon conflicted with a specific Microsoft system update. That caused computers to crash when the update was installed. Microsoft actually had to pull the update for a while.

If you haven't updated your computer in a while, this could be the problem. Microsoft released a fix using the Microsoft Security Removal Tool. Updating Windows should take care of TDL-3.

Any up-to-date antivirus program should also detect and remove TDL-3. If the infection is really being stubborn, try Kasperky's TDSSKiller or Microsoft's Standalone System Sweeper

Getting rid of TDL-3 isn't really a problem anymore. However, the newer version of TDSS/Alureon, TDL-4, is a whole new ballgame.  

First of all, like TDL-3, TDL-4 is a rootkit. A rootkit is a program that installs deep in a computer's operating system. In some cases, rootkits infect basic Windows operations. That makes them all but invisible to security software.

TDL-4 goes even further. This rootkit infects a computer's Master Boot Record. For that reason, it's also known as a bootkit.  

The MBR is the region of the hard drive that stores Windows' boot information. In other words, bootkits load before Windows. They actually operate outside of Windows.

Bootkits are almost impossible to detect at present. Normal security software doesn't typically scan the MBR. Even when it does, the bootkit can tell the software to ignore it.

One bootkit, Popureb.E, has a unique method for this. It actually modifies the instructions Windows sends to your hard drive. It can prevent malicious data from being erased. I told you these things were scary.

It gets even scarier. TDL-4, for example, lets hackers install software remotely. It can quietly install a keylogger and steal your information. Or it can blitz you with fake antivirus programs you can't remove.  

Your computer could be used for denial-of-service attacks. Perhaps it will be forced to send out spam. That would show up as unusually high Internet activity. However, there would be no other indication.

TDL-4 will even remove competing viruses from your system. This keeps your security software from triggering. It can actually lull you into a false sense of security.

All TDL-4 infected computers are controlled by a hacker group. That makes TDL-4 a botnet. All the computers can work together to perform specific tasks. The hackers can rent out the botnet to other hackers for various uses.

Security companies have had a lot of luck against botnets lately. The FBI took down the Coreflood botnet, for example. The way they did this was to shut down the bot's command and control servers. The hackers were no longer able to send commands to infected computers.

That tactic won't work with TDL-4. It has two methods of custom-encrypted communication. One method is a standard control channel. The other is a peer-to-peer channel.

The P2P channel lets the hackers transmit lists of new control servers. Every time control servers are shut down, the hackers just start new servers. Then they send the new server locations to the virus. There's nothing law enforcement can do to block the update.

The only way at present to defeat the TDL-4 botnet is to clean all infected computers. So, how do you know if you have TDL-4 or another rootkit? Well, it isn't easy.

You might see redirection of your search results. Maybe viruses are appearing out of nowhere. Perhaps your Internet traffic is higher than it should be.

Those are indications you might have a problem. Another indication is if your security software seems ineffective. It might say it removed a virus, but the virus pops up again.

Security software providers are updating their programs to detect bootkits. However, once a bootkit is installed, it's hit or miss. As I said, bootkits are very good at hiding and disabling regular security software.

That's why companies are releasing standalone utilities. BitDefender has a dedicated TDL-4 detector and remover. Likewise, Kaspersky has released an updated rootkit detector and cleaner. Norton's Bootable Recovery Tool is also available for existing Norton users.

If those don't work, you can try a program called GMER. It is designed to detect and remove rootkits. It's a powerful tool, but can be complicated to use. Be sure to read the site's FAQ before using it.

Finally, Microsoft has some last-ditch instructions for removing bootkits. It involves restoring your computer's Master Boot Record to factory conditions. This effectively overwrites the bootkit. You can then use regular security software to clean up any remaining viruses.

Unfortunately, this is a dangerous procedure. It's entirely possible you could damage your computer. In that case, you would need to wipe your hard drive and reinstall everything.

Make sure your computer is backed up before performing this procedure! Hopefully, you're making backups of your information already. I recommend my advertiser Carbonite.

Start by booting into the Windows Recovery Console. For Windows 7 and Vista, that means restarting the computer. Before the Windows logo appears, press the F8 key.

This will bring up the Advanced Boot Options screen. Use the arrow keys to highlight Repair Your Computer and press Enter. Then select your keyboard layout.

Some systems might not have the Repair Your Computer option installed. In that case, you will need to boot from your Windows install disc. If you don't have one, contact your computer's manufacturer for help.

Using Recovery console in Windows XP is more difficult. You're probably going to have to install it manually. Microsoft has detailed instructions for this on its site

Let's assume you've booted into the System Recovery Options menu. For 7 and Vista, select the Command Prompt option. With XP, it will boot into the Command Prompt automatically.

Type in "bootrec.exe /fixmbr" (minus quotes; note the space before the forward slash). This will repair the MBR and should overwrite the bootkit. Now you can restart the system.

It might be good to boot into Microsoft's Standalone Security Sweeper next. This will prevent any viruses from activating before they're removed. It should make cleaning up the system easier.

Otherwise, run full scans with all your regular security software. You'll probably want to do this regardless. The more programs you use, the likelier you are to catch everything.

Now, in some cases, all this might not work. The bootkit might still be on your system. In that case, the only solution is completely wiping your hard drive. Then you'll have to reinstall Windows from the ground up.

As you can see, being infected by a rootkit isn't fun. Getting rid of it is time-consuming and aggravating. You're much better off not contracting it in the first place.

Fortunately, rootkits get installed just like any other virus. They are transmitted through malicious Web links and email attachments. Stay cautious online and keep Windows and your security software up-to-date.

Alureon and other viruses are great at stealing your information. However, hackers have plenty of other methods as well. Learn some ways to keep your information safe:



Sent from my iMickey! 8(; - )
⁰●⁰. ⁰●⁰.⁰●⁰.⁰●⁰.⁰●⁰.⁰●⁰.⁰●⁰.⁰●⁰.⁰●⁰