Inside Indestructible Botnet, Security Experts See Flaws

The huge TDL4 botnet has snared 4.5 million PCs, as the malware creators pay handsomely for results. But experts say its sneaky, not unstoppable.

(click image for larger view)
Slideshow: How Firesheep Can Hijack Web Sessions
According to a
new analysis
of the TDL4 (aka TDSS) botnet, written by Sergey Golovanov and Igor Soumenkov of Kaspersky Labs and posted on the companys blog, the latest version of the botnet, which debuted in December 2010, now appears to be sold via affiliates, who earn between $20 and $200 for every 1,000 installations of TDL on victims PCs.
Affiliates can use any installation method they choose, they said. Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services. Thats a change from before, when the botnets owners--or members of their own criminal gang--likely infected PCs themselves, rather than farming out the task to others.
How much money could operators of this type of botnet stand to clear? Nearly one-third of all infected computers are in the United States, said the Kaspersky researchers. Going on the prices quoted by affiliate programs, this number of infected computers in the U.S. is worth $250,000, a sum which presumably made its way to the creators of TDSS.
Interestingly, the change in business model appeared to have occurred after the authors of the previous version of the botnet, TDL3, sold their source code to someone else. In December, when analyzing a TDSS sample, we discovered something odd: a TDL3 encrypted disk contained modules of another malicious program, Shiz, said Golovanov and Soumenkov. At that time, a new affiliate program specializing in search engine redirects had just emerged on the Internet; it belonged to the creators of Shiz, but used TDL3.
The changes that had been made to the TDL3 configuration and the emergence of a new affiliate marketing program point to the sale of TDL3 source code to cybercriminals who had previously been engaged in the development of Shiz malware, Golovanov and Soumenkov said.
Shiz, which is very similar to
malware known as Rohimafo
, is a Trojan application able to open a back door to a PC and steal information.
In other words, the creators of Shiv appear to have put their
crimeware-creating smarts
to work on a
new version of TDL4
. The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down, said the Kaspersky researchers. The owners of TDL are essentially trying to create an indestructible botnet that is protected against attacks, competitors, and antivirus companies.
While the prospect of an unstoppable piece of malware able to turn unsuspecting PCs into zombies may raise alarms, dont panic, said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a
blog post
. Is any malware truly indestructible? Of course not, he said.
Still, beware. The TDL rootkit family is, indeed, one of the trickiest rootkits around. The crooks who wrote it are well aware of that: to the best of my knowledge, you cant buy the TDL source code to use with your own malware. Its closed source; proprietary; a trade secret. But you can lease time on a botnet which is built around a TDL rootkit. Think cloud. Think MaaS: Malware as a Service, he said.
Furthermore, the most recent version of TDL is particularly sneaky, because it can hide files in a secret, encrypted partition at the end of your hard disk, and launch those files before Windows starts, he said.
But as with any malware, TDL4 eventually gives itself away. For example, in an enterprise setting, Kaspersky Labs said that one way to detect the malware is to watch for any PCs or servers sending outbound DNS requests to resolve server domains, since an HTTP or HTTPS proxy would typically handle domain name lookup requests.
Even so, as cutting-edge botnets such as TDL4 continue to improve, its yet another reason to protect computers with
modern antivirus software
, including anti-malware engines, that can block and eradicate these rootkits.
It doesnt pay for small and midsize businesses to protect against security threats faced by only the largest companies. Heres how to focus your efforts on the right threats. Download our all-digital supplement.
Download it now
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Inside Indestructible Botnet, Security Experts See Flaws