Online

There's A Botnet Called TDL-4 That's Virtually Indestructible

TDSS is a trojan virus that infects computers and installs the TDL-4 program, which makes said computer part of a botnet 4.5 million machines strong. TDL-4 is extremely difficult to detect and eliminate. One expert at Kapersky Labs says TDL-4 is “practically indestructible”.

What’s the magic behind TDL-4. It’s a combination two things. The first, according to Kapersky Labs, is that it’s installed as a bootkit outside of your operating system, making it hard to detect:

Just like Sinowal, TDL-4 is a bootkit, which means that it infects the MBR in order to launch itself, thus ensuring that malicious code will run prior to operating system start. This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.

TDL nimbly hides both itself and the malicious programs that it downloads from antivirus products. To prevent other malicious programs not associated with TDL from attracting the attention of users of the infected machine, TDL-4 can now delete them. Not all of them, of course, just the most common.

The second aspect, according to Computer World, is TDL-4′s ability to use the public KAD p2p network while keeping servers encrypted and anonymous.

What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.

“The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet,” said Roel Schouwenberg, senior malware researcher at Kaspersky, in an email reply Tuesday to follow-up questions. “The TDL guys are doing their utmost not to become the next gang to lose their botnet.”

TDL-4 infected those 4.5 million computers in the first three months of 2011 alone, which means that it’s extremely effective. And while the effects on your own machine might be minimal, you computer could be used to carry out DDoS attacks and other things of the like. Beware. [SecureLabs via ComputerWorld via Slashdot]