last year, there have been a number of high profile takedowns
of botnets. These takedowns lead to a significant reduction in the amount
of spam that computer users see in their inbox.
Security researchers are talking about a new botnet
called TDL-4 and they say that it is virtually indestructible. The
designers of the botnet used some ingenious methods to ensure that their net
isn't as easy to take offline as previous botnets.
Security researcher Sergey Golovanod from Kapersky Labs said in a report on the
TDL-4 botnet, "[TDL-4 is] the most sophisticated threat today." Joe
Stewart is a malware researcher at Dell SecureWorks, he said, "I wouldn't
say it's [TDL-4] perfectly indestructible, but it is pretty much indestructible.
It does a very good job of maintaining itself."
There are several factors that work together to make TDL-4 so robust. One of
the factors is that the malware infects the master boot record of the computers
HDD it resides on. This is the first sector of the hard drive read when a
computer starts and the malware rootkit is installed there. That makes the
rootkit invisible to security software and the OS.
The thing that makes the botnet even more robust is the method that it uses to
communicate with infected computers from the command and control servers. The
TDL-4 botnet uses a public peer-to-peer network called the Kad P2P network for
one of the two channels it uses to communicate between infected machines and
the C&C servers.
Kapersky researcher Roek Schouwenberg wrote in an email to Computerworld, "The way peer-to-peer is used for TDL-4 will
make it extremely hard to take down this botnet. The TDL guys are doing their
utmost not to become the next gang to lose their botnet."
The hackers behind the botnet also use their own encryption algorithm and use
the domain names of the C&C servers as the encryption keys. The use of a
public network is the key to the robust botnet and helps ensure the TDL-4
network remains online.
Schouwenberg said, "Any attempt to take down the regular C&Cs can
effectively be circumvented by the TDL group by updating the list of C&Cs
through the P2P network. The fact that TDL has two separate channels for
communications will make any take-down very, very tough."
So far, the TDL-4 botnet is very effective with an estimated 4.5 million
Windows computers currently infected. Stewart said, "The 4.5 million is
not surprising at all. It [TDL-4] might not have as high an infection rate as
other botnets, but its longevity means that as long as they can keep infecting
computers and the discovery rate is small, they'll keep growing it."
Another key to the longevity of the TDL-4 malware is the fact that it finds and
disables other malware on the computer. This is done because the less likely
the user is to know of any infection on their computer, the less likely they
are to investigate further and potentially discover the TDL-4 malware on the
Golovanov said, "TDL-4 doesn't delete itself following installation of
other malware. At any time [it] can ... delete malware it has downloaded."
quote: One of the factors is that the malware infects the master boot record of the computers HDD it resides on. This is the first sector of the hard drive read when a computer starts and the malware rootkit is installed there. That makes the rootkit invisible to security software and the OS.
quote: Agreed. How can a program executed from an OS be written to a place "invisible" to the os? If the MBR was some mysterious "invisible" place to the OS, then it could not be written to in the first place. It may be the first place that is read from, but the OS definitely has visibility to it.
quote: This particular one can't be disabled en-mass like some in the past.