Thursday, June 30, 2011

Oh boy

An undetectable, indestructable rootkit:
The TDSS rootkit burst on the scene in 2008 and quickly earned the begrudging respect of security experts for its long list of highly advanced features. It is virtually undetectable by antivirus software, and its use of low-level instructions makes it extremely hard for researchers to conduct reconnaissance on it. A built-in encryption scheme prevents network monitoring tools from intercepting communications sent between control servers and infected machines.
The amount of talent that it takes to make this does not come cheap.  That talent used to gravitate to the security defenders - to little startups like the ones I used to haunt.  There's no money there now.

But there's a boatload of money in the malware business.  Thank you Stupid Republican Party for the Sarbanes-Oxley bill that killed the IPO market.  You sure made everything better.

9 comments:

coyoteken said...

Seems to me that Paul Sarbanes is a democrat from Maryland and the law passed with overwelming votes from BOTH parties in both the house and senate with nary any dissent. Your partisan jab doesn't work here.

Borepatch said...

coyoteken,

We're used to the Democrats implementing huge, unwieldy, top-down Stalinist power grabbing programs. It's what they do.

My point is that the Republicans show no little appetite for the same. The Department of Homeland Security is another example, as is the TSA - both of which flourished under George W. Bush and a Republican Congress.

Old NFO said...

Not good news... Not at all.

kx59 said...

TDDS, yep that was a fun one...
there are tools out there from Kaspersky and Sophos that will get 'er done.

SiGraybeard said...

Sarbanes Oxley has another side effect. Thousands of high tech workers have to spend time every year getting trained in it, draining productivity from their companies.

On my best day, I couldn't influence our stock price as much as one slip of the lip from our CEO or board member could, if overheard out on the golf course. Yet I have to spend a half hour to an hour every year getting trained.

wolfwalker said...

"An undetectable, indestructable rootkit:"

Neither-nor, Borepatch. Damn difficult to do both if you're just an average user ... but a power user can do it, and it's not even all that hard. As noted above, Kaspersky and Sophos can detect and clean it. The other vital aspect of removal is boot from a liveCD version of Windows. That way the rootkit never loads and its cloaking code is never activated.

NotClauswitz said...

Ok, so like, go over the whole thing about making a LiveCD boot-version of Windows-7 for us knuckledraggers, so I can do that at home?

kx59 said...

A Kaspersky or Sophos boot disk loads and runs on linux. If you need to go in and do manual surgery, I recommend linux Ubuntu 11.04 live.
I'm not a real doctor, but I've played one on TV.

Anonymous said...

SOX just plain...SUX.

The problem with it is that it was no more than *feel good* legislation, designed as Kabuki Theater for Wall Street, much as TSA and Nudie Scanners are Kabuki for the flying public.

What good are audits and controls over the *codebase*, when a CEO or CFO that wants to steal can go to LegalZoom, create a shill corporation for under $900, and cut checks to these shill entities, cash the checks, and pocket craptons of money.

All without touching ONE SINGLE LINE of code...

Complete waste of time and money is SOX....