I’ve just come across a post at bleepingcomputer.com asking about the “botnet 4.0 undetectable virus“. The poster claims to have heard of a virus of that name “going around corrupted websites”.
Allegedly, it corrupts data on the hard disk, replicates and infects system files. And (sigh…) it’s claimed that it’s not detectable by any antivirus as it hides in legit files with valid digital signatures.
The poster asks whether it’s real. Well, I haven’t come across any mention of it up till now, at any rate by that name. Global Moderator “Bleepin’ Janitor” assumes, not unreasonably, that this is a reference to TDL4, the so-called indestructible botnet, and gives a number of informational links from Trend and Kaspersky. So it’s probably redundant for me to give links to my blogs at ESET (http://blog.eset.com/?s=tdl4) or the papers and articles that ESET has published on the same topic, but I will anyway:
I haven’t actually seen previous references to the botnet 4.0 undetectable virus. Well, that’s not a name I can imagine any reputable antivirus company using. But then, the claim is that AV can’t detect it, so I guess we wouldn’t. ;-) Which leads me to wonder how anyone knows it exists if it isn’t detectable. But of course, the undetectable virus makes even less sense than the indestructible botnet. While some botnets have effectively been “destroyed” by taking down servers and/or arresting the gang behind them, some (like TDL4) are resistant to some kind of at-a-stroke coup de grâce, and may exist in some neutered form long after the originators have abandoned them. But the malware is always detectable, sooner or later. Like all real malware (that I’ve ever heard of….)
It may be that this story is simply what Paul Newman once memorably called a failure to communicate (yes, I know that he was actually quoting another character), a version of TDL4 garbled by misunderstanding, what you might call an unintentional hoax. Or it may be another case of a deliberate hoax based on a deliberate distortion of a real story, what I sometimes call a semi-hoax. Or it might be unrelated to TDL4. The description doesn’t closely resemble TDSS.
But whatever it is, I very much doubt whether it’s undetectable. And if it were, it wouldn’t be because it was in a file with a valid digital signature. Depending, of course, on your understanding of what a “valid” signature might be. As Didier Stevens pointed out in a comment to that post:
“Practically, it is not possible to alter the executable code of a signed application without invalidating the AuthentiCode signature.”
Not to mention the fact that signing an application is not the same as guaranteeing that it wasn’t malicious to start off with.
David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow