Posted by: David Harley | August 7, 2011

Undetectable Virus Plays a Cool Hand

I’ve just come across a post at bleepingcomputer.com asking about the “botnet 4.0 undetectable virus“. The poster claims to have heard of a virus of that name “going around corrupted websites”.

Allegedly, it corrupts data on the hard disk, replicates and infects system files. And (sigh…) it’s claimed that it’s not detectable by any antivirus as it hides in legit files with valid digital signatures.

The poster asks whether it’s real. Well, I haven’t come across any mention of it up till now, at any rate by that name. Global Moderator “Bleepin’ Janitor” assumes, not unreasonably, that this is a reference to TDL4, the so-called indestructible botnet, and gives a number of informational links from Trend and Kaspersky. So it’s probably redundant for me to give links to my blogs at ESET (http://blog.eset.com/?s=tdl4) or the papers and articles that ESET has published on the same topic, but I will anyway:

I haven’t actually seen previous references to the botnet 4.0 undetectable virus. Well, that’s not a name I can imagine any reputable antivirus company using. But then, the claim is that AV can’t detect it, so I guess we wouldn’t. ;-) Which leads me to wonder how anyone knows it exists if it isn’t detectable. But of course, the undetectable virus makes even less sense than the indestructible botnet. While some botnets have effectively been “destroyed” by taking down servers and/or arresting the gang behind them, some (like TDL4) are resistant to some kind of at-a-stroke coup de grâce, and may exist in some neutered form long after the originators have abandoned them. But the malware is always detectable, sooner or later.  Like all real malware (that I’ve ever heard of….)

It may be that this story is simply what Paul Newman once memorably called a failure to communicate (yes, I know that he was actually quoting another character), a version of TDL4 garbled by misunderstanding, what you might call an unintentional hoax. Or it may be another case of a deliberate hoax based on a deliberate distortion of a real story, what I sometimes call a semi-hoax. Or it might be unrelated to TDL4. The description doesn’t closely resemble TDSS.

But whatever it is, I very much doubt whether it’s undetectable. And if it were, it wouldn’t be because it was in a file with a valid digital signature. Depending, of course, on your understanding of what a “valid” signature might be. As Didier Stevens pointed out in a comment to that post:

“Practically, it is not possible to alter the executable code of a signed application without invalidating the AuthentiCode signature.”

Not to mention the fact that signing an application is not the same as guaranteeing that it wasn’t malicious to start off with.

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

About these ads

Responses

  1. [...] ChainMailCheck: “Undetectable Virus Plays a Cool Hand” http://chainmailcheck.wordpress.com/2011/08/07/undetectable-virus-plays-a-cool-hand/  [...]

  2. [...] next » Urban Myth in the Making by David Harley Senior Research Fellow August 7, 2011 at 12:11 pm I picked up a post today at bleepingcomputer.com about the “botnet 4.0 undetectable virus“, Well, you can probably guess what I think about the idea of an undetectable virus, and if not (and you actually care what I think about anything!) you can check out my blog Undetectable Virus Plays a Cool Hand. [...]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: