Print 79 comment(s) - last by EricMartello.. on Jul 6 at 10:48 PM

TDL-4 detects and disables other malware to hide itself

Over the last year, there have been a number of high profile takedowns of botnets. These takedowns lead to a significant reduction in the amount of spam that computer users see in their inbox.

Security researchers are talking about a new botnet called TDL-4 and they say that it is virtually indestructible. The designers of the botnet used some ingenious methods to ensure that their net isn't as easy to take offline as previous botnets.

Security researcher Sergey Golovanod from Kapersky Labs said in a report on the TDL-4 botnet, "[TDL-4 is] the most sophisticated threat today." Joe Stewart is a malware researcher at Dell SecureWorks, he said, "I wouldn't say it's [TDL-4] perfectly indestructible, but it is pretty much indestructible. It does a very good job of maintaining itself."

There are several factors that work together to make TDL-4 so robust. One of the factors is that the malware infects the master boot record of the computers HDD it resides on. This is the first sector of the hard drive read when a computer starts and the malware rootkit is installed there. That makes the rootkit invisible to security software and the OS.

The thing that makes the botnet even more robust is the method that it uses to communicate with infected computers from the command and control servers. The TDL-4 botnet uses a public peer-to-peer network called the Kad P2P network for one of the two channels it uses to communicate between infected machines and the C&C servers.

Kapersky researcher Roek Schouwenberg wrote in an email to Computerworld, "The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet. The TDL guys are doing their utmost not to become the next gang to lose their botnet."

The hackers behind the botnet also use their own encryption algorithm and use the domain names of the C&C servers as the encryption keys. The use of a public network is the key to the robust botnet and helps ensure the TDL-4 network remains online.

Schouwenberg said, "Any attempt to take down the regular C&Cs can effectively be circumvented by the TDL group by updating the list of C&Cs through the P2P network. The fact that TDL has two separate channels for communications will make any take-down very, very tough."

So far, the TDL-4 botnet is very effective with an estimated 4.5 million Windows computers currently infected. Stewart said, "The 4.5 million is not surprising at all. It [TDL-4] might not have as high an infection rate as other botnets, but its longevity means that as long as they can keep infecting computers and the discovery rate is small, they'll keep growing it."

Another key to the longevity of the TDL-4 malware is the fact that it finds and disables other malware on the computer. This is done because the less likely the user is to know of any infection on their computer, the less likely they are to investigate further and potentially discover the TDL-4 malware on the machine.

Golovanov said, "TDL-4 doesn't delete itself following installation of other malware. At any time [it] can ... delete malware it has downloaded."

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Wow
By EricMartello on 7/5/2011 5:31:38 PM , Rating: 2
Yes, really. And I'm not your "bro", thank you very much. In addition if you want benchmarks, go right ahead.


First off, you couldn't afford me, especially since you're not in a position to do so. Second, you doubt I'm not missing any deadlines ... because, why? because I told you I wasn't. Again, time is of the essence. Thirdly, I used to think mental capacity and C++ were the greatest. Then I grew up. Silver bullets don't interest me. Getting the job done does. Which usually means good tools and communication w/ co-workers. Let me be clear regarding the latter, if you require somebody to put down in order to feel good about yourself, rots o' ruck.

LOL if anyone is paying you more than $25K per year they're grossly overpaying, and I'm being generous with that $25K figure.

You're not missing deadlines because the moronic work you are hired to do takes little or no skill, and therefore you'd have to be absolutely braindead to spend more than a few hours hobbling together your advanced "What is 2+2? (Y/N)" McPrograms.

You keep talking about "getting the job done" but really you're not. Do you think that finishing something, regardless of its final quality, is all that matters? No. All you are doing is cutting corners and accepting something below 'good enough' as 'complete'. You ARE part of the problem, and I appreciate that you reiterate my original point so frequently with each of your responses. McCoders are the reason for the bloat and unoptimized, sluggish code that crops up in so many modern applications...but hey, they finished it a couple weeks sooner so there's that...yay.

The job market is so-so. Economy is rough [just ask NASA engineers]. But job requirements listing .Net platform skills are better than ever. Personally, that is likely puerile snob appeal, though I admit it not. Nor do I care for the polar opposite of pop appeal. Of course, the latter does have correlation with revenues and profitability. If you're stuck on good quality, then you are sacrificing one of the other legs of the project triangle: price and/or speed. But you don't know that. Yet.

Yes, there are lots of low-paying jobs for .NET McCoders...apparently the Mc part was lost on you. Even in this economy, you could land a job at a local McDonald's. You make fast food, it's edible and it 'gets the job done' but you won't be winning any culinary awards nor can you consider yourself a chef simply because you slide frozen buns through a toaster all day. As a McCoder you are no different and no better than a fast food chain grunt - common, easily replaceable and skill-less.

I'd be willing to wager you can't even go back a couple weeks to your code and explain your design decisions w/o looking at your notes. What? you didn't comment anything? Nor can you look at somebody else's C and optimize it, instead you'd have to re-write it from the ground up. Big time savings there stud.

LOLWTF I always comment my code. Why wouldn't I? I also indent it and make it readable - it's a matter of efficiency...the McCoders are the ones who wouldn't spend the extra time to comment because it would cut into their speed of "excrement" too much. That's right, when you program in C# you don't have a development cycle - it's called an excrement cycle because the end result is always a big, steaming turd. Don't spend too much time on the crapper! hahaha

Gee, golly, I bet Visual Studio doesn't have access to any of that, huh. Specifically those dastardly "algorithmic calculations." They always cause trouble. Lol .Net runs on many platforms and if I need tuned "media transcoding", I can purchase a library just as easily as you. Except I meet deadlines. Do you even make deadlines? Can you? because once you get the code working you'll have to pound your agile partner to re-code your optimizations ... yet more time.

Are you referring to your cut-n-paste bits, the equivalent of bundled clip art? That's what it seems like. Why is it that the only thing you can say about C# is deadlines? Do you think eating BigMacs daily is better than having a steak with real mashed potatoes? Sorry bro, but you're outta your element in this conversation and that has been quite evident early on.

.NET is owned by MS. It runs only on platforms MS wants it too, and it would typically run sub-optimally on anything other than a Windows-based system, much like yeah, you're already taking a 30%+ performance hit by using C# and then you want to run it on a non-Windows platform. lawl It's probably going to execute 60-80% slower than a proper C application of the same type, while being 100-200%+ larger in file size.

Lastly, I congratulate you however, for convincing me that the hacks who created TDL-4 likely are watchmaker-types who get off on saving a byte and who look forward to the resurrection of D.

TDL-4 is an example of superior coding by people who know what they're doing. A McCoder will NEVER be able to create anything like that, the sandbox wouldn't allow it. The people who TDL-4 it will reap its benefits for a long time to come, while McCoders like you will continue a pointless existence hobbling together unimpressive programs "quickly" for peanuts.

RE: Wow
By WalksTheWalk on 7/6/2011 5:39:54 PM , Rating: 2

Everyone knows you have a monopoly on coding 100% optimized applications.

Too many lulz to count. Given your logic, why not code everything in ASM? The extra time spent is surely worth the performance improvement. Coding in C/C++ just bloats the process with all of their nasty runtime overhead. Why code in C# or Java when everyone knows it's total crap to begin with, right? (BTW - The questions are rhetorical.)

RE: Wow
By EricMartello on 7/6/2011 10:48:41 PM , Rating: 2
I don't claim to have a monopoly on optimized code; but I do respect it and the people who take the time to create it, and I myself strive to avoid the laziness and bloater mentalities that McCoders have unleashed on the computing world while working on my own programs.

The C language still maintains the best balance between higher-than-machine-code level readability without the substantial performance issues you get with managed languages. Neither C nor C++ require any type of "runtime" and are largely platform independent. Any overhead that they might have would be introduced by customizing the program to the host OS, and even then, you would still get better performance with C or C++ than C#.

While coding exclusively in ASM may seem like a good idea, it would not yield substantial gains over a well-coded C program. You can actually embed ASM code within C as needed to speed up certain functions and algorithms within your program - without having to make the entire program in ASM. Also, with advanced compiler optimizations, C/C++ programs can actually match ASM programs in terms of file size and speed.

The main benefits of ASM are not merely the fact that a well-written ASM program can potentially execute faster than a program created in a higher-level language, rather it is the ultra-fine control you get over the host system with ASM.

If you need more control than C or C++ can give you, there's ASM. If you just need to make a program that runs as fast as possible, there's C or C++.

"So, I think the same thing of the music industry. They can't say that they're losing money, you know what I'm saying. They just probably don't have the same surplus that they had." -- Wu-Tang Clan founder RZA

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
Snapchat’s New Sunglasses are a Spectacle – No Pun Intended
September 24, 2016, 9:02 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki