According to Russian security experts at Kaspersky Labs, a botnet know at “TDL-4” has emerged as one of the most resilient, tenacious, and potentially dangerous botnets in existence. In a post on Kaspersky’s Securelist website, researchers Sergey Golovanov and Igor SoumenkovIn believe that the creators of TDL-4 are attempting to create an “indestructible” botnet.
Botnets are networks of computers that are infected with malware. The creators of the botnet can then collectively leverage the malware installed on all those PCs – sometimes called “Zombie PCs” -- to initiate large-scale distributed denial of service (DDoS) attacks to take down targeted websites, or use the infected PCs to gain access to other computers and networks. All of these activities can take place without the knowledge of the legitimate users of the computers included in the botnet.
The creators of TDL-4 have also leveraged a traditional business model for helping accelerate the creation and expansion of their botnet: an affiliate program. This program gives botnet enablers “between $20 to $200 for every 1,000 installations of TDL, depending on the location of the victim computer. Affiliates can use any installation method they choose. Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services.”
According to Golovanov and Soumenkovln, TDL-4 uses malware known as TDSS to effectively remove and nullify competing malware and malicious programs from an infected machine, much like traditional anti-virus or anti-malware software. The goal here isn’t a benevolent one, but rather an attempt to eliminate any competing programs from disrupting the actions of the botnet creators:
TDSS contains code to remove approximately 20 malicious programs, including Gbot, ZeuS, Clishmic, Optima, etc. TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them.This ‘antivirus’ actually helps TDSS; on the one hand, it fights cybercrime competition, while on the other hand it protects TDSS and associated malware against undesirable interactions that could be caused by other malware on the infected machine.
Golovanov and Soumenkovln go into exacting technical detail about how TDL-4 works, and what new features it offers over previous variants. Much like a professional software development organization, the creators of TDL-4 are continually refining and improving their code in an attempt to bypass and hide from security software, all while advancing the goals of the botnet creators. This aggressive, ongoing iteration and improvement has led to some very sophisticated malware and botnet techniques, which the Kaspersky researchers point out in their post:
The changes in TDL-4 affected practically all components of the malware and its activity on the web to some extent or other. The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down. The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies.
It’s a sobering thought for IT administrators and security professionals tasked with keeping their networks and PCs safe, secure, and malware-free. Yet it also adds yet more emphasis on the need for everyone who has access to a PC to make sure their PCs are updated with the latest anti-virus and anti-malware software, protected with good passwords, and employed by users (and administrators) with a robust knowledge of IT security issues.
Feel free to add a comment to this blog post or start up a discussion on Twitter.
Follow Jeff James on Twitter at @jeffjames3
Follow Windows IT Pro on Twitter at @windowsitpro