Print 79 comment(s) - last by EricMartello.. on Jul 6 at 10:48 PM

TDL-4 detects and disables other malware to hide itself

Over the last year, there have been a number of high profile takedowns of botnets. These takedowns lead to a significant reduction in the amount of spam that computer users see in their inbox.

Security researchers are talking about a new botnet called TDL-4 and they say that it is virtually indestructible. The designers of the botnet used some ingenious methods to ensure that their net isn't as easy to take offline as previous botnets.

Security researcher Sergey Golovanod from Kapersky Labs said in a report on the TDL-4 botnet, "[TDL-4 is] the most sophisticated threat today." Joe Stewart is a malware researcher at Dell SecureWorks, he said, "I wouldn't say it's [TDL-4] perfectly indestructible, but it is pretty much indestructible. It does a very good job of maintaining itself."

There are several factors that work together to make TDL-4 so robust. One of the factors is that the malware infects the master boot record of the computers HDD it resides on. This is the first sector of the hard drive read when a computer starts and the malware rootkit is installed there. That makes the rootkit invisible to security software and the OS.

The thing that makes the botnet even more robust is the method that it uses to communicate with infected computers from the command and control servers. The TDL-4 botnet uses a public peer-to-peer network called the Kad P2P network for one of the two channels it uses to communicate between infected machines and the C&C servers.

Kapersky researcher Roek Schouwenberg wrote in an email to Computerworld, "The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet. The TDL guys are doing their utmost not to become the next gang to lose their botnet."

The hackers behind the botnet also use their own encryption algorithm and use the domain names of the C&C servers as the encryption keys. The use of a public network is the key to the robust botnet and helps ensure the TDL-4 network remains online.

Schouwenberg said, "Any attempt to take down the regular C&Cs can effectively be circumvented by the TDL group by updating the list of C&Cs through the P2P network. The fact that TDL has two separate channels for communications will make any take-down very, very tough."

So far, the TDL-4 botnet is very effective with an estimated 4.5 million Windows computers currently infected. Stewart said, "The 4.5 million is not surprising at all. It [TDL-4] might not have as high an infection rate as other botnets, but its longevity means that as long as they can keep infecting computers and the discovery rate is small, they'll keep growing it."

Another key to the longevity of the TDL-4 malware is the fact that it finds and disables other malware on the computer. This is done because the less likely the user is to know of any infection on their computer, the less likely they are to investigate further and potentially discover the TDL-4 malware on the machine.

Golovanov said, "TDL-4 doesn't delete itself following installation of other malware. At any time [it] can ... delete malware it has downloaded."

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Wow
By Gondor on 7/1/2011 5:36:14 AM , Rating: 2
GPU and printer control program (such as Catalyst) does not have to be 70+ MB in size. I am fairly confident that same application could be written in some more efficient language (C++, heck even Delphi) and fit into under 10 MB, majority of which would be taken by stupid splashscreens and other graphics that most users disable anyway if they can.

It's just a menu, a form, a handful of panels and few other UI bits and pieces for heaven's sake ! Adjust a property and one line of code invokes the driver to update the setting.

I used to write drivers (mainly framebuffer drivers) for certain opensource OSes. When compiled into binary form (.o) they were rougly 10 KB (kilobytes) in size. Userspace program that could interface with them (via ioctl) was well under 100 KB (kilobytes again).

70+ MB (WTF !?) garbage collector for what should be a 2MB app, where UI elements are perfectly capable of freeing memory when their destructor is invoked on their own and where you've got approximately 0 need for other memory structures (apart from one to interface with the driver itself which is allocated upon startup and freed upon exit) ? Puhleeese, spare us the apologetic nonsense ... The fact is that today's "programmers" using "languages" such as C# for driver control programs are nothing but utter inepts who should be hanged, drawn and quartered for humanity's sake.

RE: Wow
By tygrus on 7/1/2011 8:07:32 AM , Rating: 2
The base driver is probably <10% of the total. I think most of the rest is code to replace game code and support older DirectX/OpenGL API's.

RE: Wow
By bah12 on 7/1/2011 9:51:25 AM , Rating: 3
Ding we have a winner. I is not the language that is the problem it is all the other crap. Seriously look at HP's crap, how much extra code is used to monitor ink levels, pop up a fancy screen complete with links to their site to buy them. I also don't need a stupid animation and voice for "printing started"..."printing complete". They think they are doing some BIG service to the user, but all they do is over complicate crap.

Another sticking point are dell WiFi drivers, that don't just use the built in windows interface for connecting to a network. Why did we need another???

RE: Wow
By NellyFromMA on 7/1/2011 11:29:07 AM , Rating: 2
You're clearly assuming things about a technology you've chosen to hate without understanding. You know what they say about those who assume, don't you? ;)

"DailyTech is the best kept secret on the Internet." -- Larry Barber

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki