maybe alarming news with regard to the TDL-4 infection?

I just started my day reading an alarming article on PopScience

claiming that tdl-4 is currently virtually indestructible,
I was wondering if that is the case?

also can the latest CIS prevent it from accessing my computer? under which settings?
the article on PopularScience doesnt explain in which form it infiltrates into computers, is it like
a file that one downloads or a banner of some sort that leaves a sample in the internet folder?


I believe if the treat unrecognized files as setting is set to untrusted or blocked, you will be protected. There’s a thread around here somewhere discusses it in depth how to add protected files and folders to your computer security policy, to block it from infecting your documents.

backup image restored = nothing to worry.

Some more information about this botnet

The more disquieting feature is that it install a bootkit undetectable by most security cies.

thanks for your help

“backup image restored = nothing to worry.”

im not sure what you meant? could you please expand more on it?

The article refers mostly to the entire botnet as indestructible because the encryptions makes it impossible to identify all infected machines by analyzing traffic. Also, if the malware does not display any visible symptoms some users may never be aware of infection.

As far as an individual machines go, many security programs successfully remove tdl4 (CCE, Gmer and kaspersky’s TDSS killer should all work fine)

That backup image better include a MBR backup. TDL gets into the MBR an image won’t help that much.

Re-creating the Master Boot Record using a specialised recovery tool can fix an infected PC.

As usual the media has gone hysterical about this and made it sound as if nothing can get rid of TDL-4 once it is on your PC. In practice it is difficult to detect because it modifies the MBR to install a sophisticated rootkit which uses encryption to avoid anti-malware. I don’t know if it can avoid boot-time scans such as that available with AVAST because even though the scan runs before Windows starts it is still after the MBR code has been executed.

My previous PC had a BIOS option to disallow writing to the first couple of HDD tracks which would have made it invulnerable to this type of attack. Unfortunately my current PC doesn’t have this option.

This botnet may be around for a long time because it apparently has been designed to function without central control, many users won’t realise their PCs are infected, and it is still being developed. This is probably the reason for the “indestructible” claims by the media.

You’re probably better off doing a DoD level wipe of your HDD and reinstalling:

BTW - you can also take an image of your entire HDD. It would then include the MBR - Track 1 data. When you restore, your restoring the entire disk.

Just install Truecrypt and encrypt your full system disk, this will load the Truecrypt installer in to your MBR.

  1. rootkits hate crypted disks
  2. if a rootkit manages to infect your MBR Truecrypt won’t boot claiming your bootloader is corrupt, once that happens you know it’s bad news.
    After that message you need your Truecrypt rescue CD to restore the ‘original’ Truecrypt MBR and the MBR part of the root/bootkit is gone, run a live-cd to detect the rest of it.
  1. does anyone know please how does one get this TDL-4 infection? is it by downloading a certain file or one can get it accidentally by just visiting a site?

  2. can I please have an organized list of things I can do to avoid or prevent this infection?

Use Comodos manual sandbox, Sandboxie, Shadow Defender, or BufferZone to isolate your real system from your activities online.

Also, as mentioned above, make an image for your system using Microsoft Image, Paragon, Marrium, etc.

And…use a “Standard account” rather than the default “Administrator account”.
as explained here…

or at the very least adjust your UAC setting to HIGH.

In CIS, as mentioned above, use the “Blocked” option in the Execution Controls section of D+

how will a CIS protected computer be infected with TDL-4?

I would like to see some technical details about how this can be done…

then you will see that prevention is more important than cleaning :wink:


Spoof your IP address to appear that your located in Russia ;D

Per eWeek:

There appears to be no infected machines in Russia. This may be because the affiliate programs don’t get paid for infecting computers located in Russia, according to Golovanov. There are nearly 60 C&C servers around the world, but the IP addresses appear to be “constantly changing,” Golovanov said.

At the present time, it appears Kapersky’s TDSS anti-rootkit scanner is the most effective for removing TDSS family of rootkits. As I understand it, the developer updates the code on a daily basis. Only drawback is that you have to constantly download the current version.

It does run fast and checks all boot sectors and MBRs of all internal hard drives.

Maybe time for developers to dust off those old Win 95 era boot sector protection programs and update them. Actually none of this is new. Floppy boot sector viruses were the plague of the prior generation.

If D+ warns about any attempt to modify the MBR I don’t see how TDL-4 (or any other bootkit malware) could infect a PC running CIS or CFW with D+ enabled, even if it managed to evade all the other detection. It can’t hide the fact that it is changing the MBR until after it has infected the PC.

Melih, does D+ warn about MBR changes either via the Windows API or via direct disk access?

CIS does protect again TDL rootkits.

Good to know, but can you elaborate i.e. if settings are at Default then TDL-4 will not infect our MBRs?

I have a question about TDL infecting MBRs: if I am regularly backing-up my MBR with e.g. MBRWiz, and have a partition/boot configuration that does not change, would it be possible then to detect a TDL-type problem by simply doing a binary compare of these MBR backups from one backup to the next?

The default setting will prevent the installation of TDL rootkit.

The other question I don’t know the answer to.

If it’s a ‘good’ rootkit this check will fail on a running system, if you wish to be sure you have to do an ‘offline’ dump and compare.
Say you are infected, and the ‘backup’ of the MBR is intercepted by the rootkit it will probably serve you a ‘clean/copy’ MBR.