TDL4 Botnet Now Even Harder To Kill

Researchers say that the rootkit used in the TDL4 botnet has been partially rewritten in what appears to be an attempt by the creators to make it even harder to eradicate.

Specifically, the kernel-mode driver and user-mode payload pieces have been completely revamped in an attempt to better fly under the radar, according to researchers at Eset. It's unclear whether the rewrites were by the original creators trying to make the botnet more marketable to other cybercriminals, or whether it's in the hands of other groups who are tweaking it, the researchers say.

The botnet malware is best known for delivering fake antivirus, adware, and spam. It had infected more than 4 million machines worldwide in the first three months of this year, according to a Kaspersky Lab report on the botnet published this summer. Damballa, meanwhile, says the botnet has ranged in size from 900,000 to 2 million bots in the past year just in the U.S.

"The criminals behind this rootkit incorporate updates to it in order to one, avoid detection, and, two, increase difficulty in removing it. Sometimes these updates are quite small, a change in code just enough to avoid detection or make removal unsuccessful by some anti-malware programs. But others, like the rewrite we noted, seem geared toward not just increasing persistence on already-compromised machines, but perhaps even providing a framework which may allow for placing additional hooks into a system," says Aryeh Goretsky, an Eset researcher.

"Why is this? Well, the criminals behind this rootkit realize that the longer it remains on a system, the more likely they are to make money from that system, so increasing the difficulty of removal results in a financial gain for them. It may even be a metric they use as a selling point to attract additional business," he says.

TDL4 was in the headlines in late June when researchers at Kaspersky shared their findings on a new version of the botnet that made it spread more easily, and more difficult to defend against. At the time, affiliates were making anywhere between $20 to $200 for every 1,000 infected machines, according to Kaspersky's data.

"The changes in TDL-4 affected practically all components of the malware and its activity on the Web to some extent," Kaspersky researchers said in their July blog post. "The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down."

And the botnet is still evolving to stay alive: In the latest development revealed by Eset researchers this month, TDL4 has added a new defense against bot-fighters using virtual machines. When the malware installs, it detects whether the Trojan is being run on a virtual machine and passes that intelligence to the command-and-control infrastructure.

"Clearly, it’s also now trying to detect virtual environments, which does pose a problem for certain kinds of detection. But since we know how they’re doing it, it’s not beyond the wit of AV developers to take countermeasures," says David Harley, ESET senior research fellow.

It has also been modified to better hide, with a new hidden file system layout. "The change in implementation of the hidden file system is, probably intentionally, an effective countermeasure against tools for analyzing it. Fortunately, that doesn’t constitute any insuperable obstacles to detection: It’s still not an unbreakable botnet, though the P2P approach makes it more resilient," Harley says.

The alternations don't constitute a new version of TDL, he says. "It’s not TDL5, or even 4.x: It’s an alternative [or] modification within the overall development code tree. On the other hand, if code had been shared, that would probably suggest a major revamp on the way, similar to the way that TDL3 source code wasn’t sold until TDL4 was out," Harley says. "Another interesting development is the dropper mechanism for error tracing in a live infection environment. This is a sophisticated feature in itself, but it might also suggest an approach we can expect to see in a future, major update."

"TDSS is always active and under continuous development, at present," Harley says.

And that's not likely to change anytime soon. Researchers at Damballa say there's no end in sight for TDL4, especially given that its operators are in Russia.

Full technical details on the botnet's latest iteration are here in Eset's blog post.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.