Print 79 comment(s) - last by EricMartello.. on Jul 6 at 10:48 PM

TDL-4 detects and disables other malware to hide itself

Over the last year, there have been a number of high profile takedowns of botnets. These takedowns lead to a significant reduction in the amount of spam that computer users see in their inbox.

Security researchers are talking about a new botnet called TDL-4 and they say that it is virtually indestructible. The designers of the botnet used some ingenious methods to ensure that their net isn't as easy to take offline as previous botnets.

Security researcher Sergey Golovanod from Kapersky Labs said in a report on the TDL-4 botnet, "[TDL-4 is] the most sophisticated threat today." Joe Stewart is a malware researcher at Dell SecureWorks, he said, "I wouldn't say it's [TDL-4] perfectly indestructible, but it is pretty much indestructible. It does a very good job of maintaining itself."

There are several factors that work together to make TDL-4 so robust. One of the factors is that the malware infects the master boot record of the computers HDD it resides on. This is the first sector of the hard drive read when a computer starts and the malware rootkit is installed there. That makes the rootkit invisible to security software and the OS.

The thing that makes the botnet even more robust is the method that it uses to communicate with infected computers from the command and control servers. The TDL-4 botnet uses a public peer-to-peer network called the Kad P2P network for one of the two channels it uses to communicate between infected machines and the C&C servers.

Kapersky researcher Roek Schouwenberg wrote in an email to Computerworld, "The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet. The TDL guys are doing their utmost not to become the next gang to lose their botnet."

The hackers behind the botnet also use their own encryption algorithm and use the domain names of the C&C servers as the encryption keys. The use of a public network is the key to the robust botnet and helps ensure the TDL-4 network remains online.

Schouwenberg said, "Any attempt to take down the regular C&Cs can effectively be circumvented by the TDL group by updating the list of C&Cs through the P2P network. The fact that TDL has two separate channels for communications will make any take-down very, very tough."

So far, the TDL-4 botnet is very effective with an estimated 4.5 million Windows computers currently infected. Stewart said, "The 4.5 million is not surprising at all. It [TDL-4] might not have as high an infection rate as other botnets, but its longevity means that as long as they can keep infecting computers and the discovery rate is small, they'll keep growing it."

Another key to the longevity of the TDL-4 malware is the fact that it finds and disables other malware on the computer. This is done because the less likely the user is to know of any infection on their computer, the less likely they are to investigate further and potentially discover the TDL-4 malware on the machine.

Golovanov said, "TDL-4 doesn't delete itself following installation of other malware. At any time [it] can ... delete malware it has downloaded."

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By Cerin218 on 6/30/2011 11:58:05 AM , Rating: -1
WHAT!! But the Windows Operating system is a PARAGON of security!! How could this happen? I mean User Account Control was an AWESOME new feature. The why it has prevented all the new malware like Antivirus 2009 and Windows Recovery 2011 from infecting peoples machines, umm... oh wait, it hasn't. It's like a screen door on a submarine.

Keep building a crap operating system, and people will keep doing things like this with it. Funny after nearly 20 YEARS of making operating systems Microsoft can't manage to close their security holes. And as newer generations don't bother to learn how to protect their computers, we will just keep seeing this.

By themaster08 on 6/30/2011 12:06:40 PM , Rating: 5
Funny after nearly 20 YEARS of making operating systems Microsoft can't manage to close their security holes.
There's only one type of hole that Microsoft cannot patch. Assholes that willingly install just about anything on their systems with no consideration of the consequences.

By Ramstark on 6/30/2011 12:14:03 PM , Rating: 2
+5 to you sir. Working in IT let you have a wider view of this issue. 95% of infections cases are the result of the user clicking in something he/she did not even know what is...

By corduroygt on 6/30/2011 1:09:48 PM , Rating: 2
And the only thing to prevent that is the app-store model where every app would have to be approved by Microsoft before it could be installed.

By corduroygt on 6/30/2011 4:29:55 PM , Rating: 2
That's impossible unless you turned off UAC.

By themaster08 on 7/1/2011 2:15:39 AM , Rating: 2
And an effective firewall solution, and possibly even malware already on the system.

By MrBlastman on 6/30/2011 12:31:17 PM , Rating: 3
Stop being delusional.

There is no such thing as perfect computer security (unless you use an air-gap but even that can be circumvented as Private Manning showed us). No such thing at all.

The only reason Microsoft Operating systems keep being compromised is because they are so widely installed. They are a prime target due to so many people using them.

Since you seem to know everything there is to know about computer security--answer me this: What operating system do YOU use?

Additionally, as a previous poster mentioned--the biggest problem with Microsoft's operating systems is essentially a PEBKAC error...

Defense never, ever wins a war. Only a good Offense does.

By StevoLincolnite on 6/30/2011 12:39:50 PM , Rating: 2
Defense never, ever wins a war. Only a good Offense does.

Offense isn't always the answer... Look at the backlash Sony got after it stopped a hacker bringing back the OS Sony removed.

Microsoft's strategy is a bit more sound... It acquires it's enemy and gets them to work for the swarm (To much StarCraft, ugh.) with hardly a noise.

By MrBlastman on 6/30/2011 1:06:25 PM , Rating: 2
I wouldn't consider the hacker that Sony went after a threat to them at all nor a malicious individual--unlike TDL-4. What Sony did I would consider a complete blunder of judgement.

Oh, and since you play StarCraft (hopefully the original as StarCraft 2 is too simple and lacks depth), I'm sure you'll agree that if you don't expand (and your initial rush fails) you have little chance of winning. You have to be offensive to expand to other mineral patches.

About the only RTS I've played where you could turtle up in your base is Supreme Commander--and even in that, you had to reach critical mass (power and mass output)--at which point in time you could build T3 Artillery (nukes are for wimps) and shell people into oblivion. The act of shelling them though, would then move you to an offensive position. You'd eventually have to occupy their territory by ground or send in air units to wipe out the stragglers.

By MrBlastman on 6/30/2011 1:08:33 PM , Rating: 2
Heck, even in Chess it is a wasted move if you fail to implicate pressure upon your opponent indirectly (not necessarily an immediately adjacent piece) with that move coupled with even worse consequences to them if they were to counter directly.

By Hyperion1400 on 6/30/2011 2:18:35 PM , Rating: 2
Actually, if you do it right, nukes are the best offensive weapon.

The gameplay of Supcom is essentially Keynesian Economics. The object is to expand your economy quicker than the other person and then outproduce them. That is why I would always go Aeon.

Their shields are nearly invisible, so you can layer them without making it readily apparent, which causes you opponents to throw themselves onto you defenses. And, they have the best econ in the game. Once you hit T3, turn out 10 or so engis, then immediately make a quantum teleporter. Then, you start churning out subcommanders and upgrade them with the Engi and Resource Generation packs. The result is a self sustaining army of T4 engis and a strat that can make a nuke in less than 45 min if done right.

The best part is they don't even see it coming! It is an unparalleled joy to watch them scramble to get a T3 Strategic Missile Defense online while you cackle maniacally at their futile efforts!

By MrBlastman on 6/30/2011 3:37:24 PM , Rating: 2
Yes, yes exactly why I love Supcom. It was so strategic instead of a clickfest. You can really out-think your opponent in it and win.

I prefer vanilla Supcom over Forged Alliance Supcom though. In FA, they broke the economic part of the game and really kinked it. In FA you essentially can turtle up and drop nukes. In vanilla, you could reach an elegant critical mass that would enable you to amass an army of subcommanders (producing power and mass) and then use them to both build an anti-nuke silo and then fastbuild an anti-nuke inside it all in the time it took your opponents nuke to launch from their base and get to yours--thus thwarting their efforts.

FA fixed that. It really cramped the mid to late game flexibility that vanilla excels in. I still to this day wonder why they did this but then, after seeing the abomination that SupCom 2 is, I didn't have to wonder anymore. Chris Roberts was slowly reverting back to his TA: Kingdoms nightmarish gameplay based on simplicity rather than the beautiful complexity that regular SupCom is.

Man, I wish people would still play vanilla online these days. Those six to nine months that people played it when it came out before FA was released was awesome. I miss SupCom. :(

Oh, and I played nothing but Cybran at the time. Stealth fighters ruled. I guess Cybran fits me though--they're weak on defense and are masters of the swarm. Their T3 arty had a nice area-effect to it though.

By Hyperion1400 on 6/30/2011 11:24:50 PM , Rating: 2
Yeeaahhh, but the Spider Tank can't touch the Colossus!

Actually, there is a way to break anti-nuke defenses that I would use against my friends and never tell them about.

If you make 3 nuke silos, and bind them to a ctrl group so you can select them at will; you can make the fire at the same time. This, as it turns out, breaks the anti-nuke AI. All silos within range of the triple nuke, no matter how many, will all target the exact same missile! They can kill the first two, but they just don't have the fire rate to take out the third >:)


But yeah, I hated FA so much when it came out; and then Supcom 2 was just such an abortion. If there will be a new Supcom, I hope they stick with the vanilla econ, expand the number of unit types and gameplay possibilities (T5 anyone!), and add some serious multi-threading support so we can get some 10k vs 10k battles going!

By Smilin on 6/30/2011 2:05:19 PM , Rating: 2
I think he meant "effective offense". Sony's attempt at taking down a single individual did *nothing*

By JakLee on 6/30/2011 4:15:47 PM , Rating: 3
Microsoft's strategy is a bit more sound... It acquires it's enemy and gets them to work for the swarm (To much StarCraft, ugh.) with hardly a noise.

Actually...... if go back a few years to a competitor to starcraft: Age of Empires. In the first one your priests could convert enemy units and buildings to be on your side....

Man I love church of microsoft in that game!

By MrBlastman on 6/30/2011 1:49:56 PM , Rating: 2
You failed to answer my question. Own up and answer it. What operating system do YOU use?

By themaster08 on 7/1/2011 2:18:23 AM , Rating: 1
Mac OS X contains KNOWN exploits. Safari anyone?

By RedemptionAD on 6/30/2011 12:45:51 PM , Rating: 2
You can't fix stupid. ID10T errors are unstoppable. Just like most problems origins are between the chair and the keyboard. No OS or protection can stop that.

By AmbroseAthan on 6/30/2011 2:08:55 PM , Rating: 2
"A common mistake people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools." -Douglas Adams

By RedemptionAD on 6/30/2011 2:28:38 PM , Rating: 2
Make it idiot proof and someone will build a better idiot. -Shirt at Microcenter

By RedemptionAD on 6/30/2011 2:09:29 PM , Rating: 4
That doesn't stop family and friends driving you crazy with phone calls when they refuse to learn anything on their own. If I secure it, I get calls of why it stopped their download and I tell them it was a virus and they say "But I want my download."

By chagrinnin on 6/30/2011 4:28:20 PM , Rating: 3
Apple already did that.

By bigdawg1988 on 6/30/2011 1:38:05 PM , Rating: 2
No OS or protection can stop that.

At least not until it becomes self-aware.... hee

By Smilin on 6/30/2011 2:03:30 PM , Rating: 4
Name me one modern OS that has NO security vulnerabilities and then we'll sit down together, have a beer, and gripe about Windows.

Until then STFU and go educate yourself, Troll.

"We basically took a look at this situation and said, this is bullshit." -- Newegg Chief Legal Officer Lee Cheng's take on patent troll Soverain

Most Popular Articles5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Laptop or Tablet - Which Do You Prefer?
September 20, 2016, 6:32 AM
Update: Samsung Exchange Program Now in Progress
September 20, 2016, 5:30 AM
Smartphone Screen Protectors – What To Look For
September 21, 2016, 9:33 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki