Urban Myth in the Making

I picked up a post today at bleepingcomputer.com about the “botnet 4.0 undetectable virus“, Well, you can probably guess what I think about the idea of an undetectable virus, and if not (and you actually care what I think about anything!) you can check out my blog Undetectable Virus Plays a Cool Hand.

(Clue: the Chainmailcheck blog specializes in hoaxes (intentional and unintentional), semi-hoaxes, scams, spams and uncle Tom Cobblers and all.)

In this case, the name of the virus suggests a possible misunderstanding related to the TDL4 botnet. I already wish I'd never seen any references to indestructible botnets, and I suspect I'm going to get even more tired of it now.

ESET Senior Research Fellow

Author David Harley, ESET

  • jim02

    From "indestructibel botnet" to "undetectable virus." I blame Golovanov and Stewart, along with the media, which has twisted something rediculous into something even worse.
    While you're on the subject of TDL, I don't suppose you have a picture of what the data in an infected MBR looks like? Are there any telltale strings added or removed from the original MBR, or anything similar that could give the bootkit away just by a visual inspection? Just curious.

    • David Harley

      We’re not sure what you mean by “visual inspection”. If you mean by not using any dedicated tools then it’s not possible to remove the bootkit that way, since TDL conceals the infected MBR and prevents it from being overwritten.

  • jim02

    No, I'm sure removal is more difficult than that, I just wondered if it was possible to use a tool like Dimio's "HDHacker" on windows, or "sudo cat /dev/sdaX" on Linux, (or any hex editor with raw disk access to the boot sector) and examine the contents of the MBR for certain bits or strings that TDL puts in the MBR, that wouldn't normally be there. I'd show you a screenshot of what I mean, but I'm not allowed to post links. :)
    How does it conceal the MBR? Isn't the MBR always in sector 0? I glanced through the whitepaper, but maybe I need to read it a little more…

    • David Harley

      You can, in principle, use specialist tools to examine the boot sector to look for strings in the same way that first generation AV did, but early boot sector viruses were much more simplistic and consistent between samples than TDL: and that approach would not be effective for detection across a range of samples and variants. Concealment is less a matter of moving the MBR than of misdirecting utilities so that they don’t see what they “think” they’re seeing. In fact, many early BSVs did the same thing, though with different mechanisms. The kind of hooks and patches that rootkits use are analogous forms of misdirection.

  • jim02

    Ok, that makes sense. I was just looking for an easy way out. :)

    • David Harley


Follow us

Copyright © 2017 ESET, All Rights Reserved.