Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Inside Indestructible Botnet, Security Experts See Flaws

The huge TDL4 botnet has snared 4.5 million PCs, as the malware creators pay handsomely for results. But experts say it's sneaky, not unstoppable.

How Firesheep Can Hijack Web Sessions
(click image for larger view)
Slideshow: How Firesheep Can Hijack Web Sessions
According to a new analysis of the TDL4 (aka TDSS) botnet, written by Sergey Golovanov and Igor Soumenkov of Kaspersky Labs and posted on the company's blog, the latest version of the botnet, which debuted in December 2010, now appears to be sold via affiliates, who earn between $20 and $200 for every 1,000 installations of TDL on victims' PCs.

"Affiliates can use any installation method they choose," they said. "Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services." That's a change from before, when the botnet's owners--or members of their own criminal gang--likely infected PCs themselves, rather than farming out the task to others.

How much money could operators of this type of botnet stand to clear? "Nearly one-third of all infected computers are in the United States," said the Kaspersky researchers. "Going on the prices quoted by affiliate programs, this number of infected computers in the U.S. is worth $250,000, a sum which presumably made its way to the creators of TDSS."

Interestingly, the change in business model appeared to have occurred after the authors of the previous version of the botnet, TDL3, sold their source code to someone else. "In December, when analyzing a TDSS sample, we discovered something odd: a TDL3 encrypted disk contained modules of another malicious program, Shiz," said Golovanov and Soumenkov. "At that time, a new affiliate program specializing in search engine redirects had just emerged on the Internet; it belonged to the creators of Shiz, but used TDL3."

"The changes that had been made to the TDL3 configuration and the emergence of a new affiliate marketing program point to the sale of TDL3 source code to cybercriminals who had previously been engaged in the development of Shiz malware," Golovanov and Soumenkov said.

Shiz, which is very similar to malware known as Rohimafo, is a Trojan application able to open a back door to a PC and steal information.

In other words, the creators of Shiv appear to have put their crimeware-creating smarts to work on a new version of TDL4. "The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down," said the Kaspersky researchers. "The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and antivirus companies."

While the prospect of an unstoppable piece of malware able to turn unsuspecting PCs into zombies may raise alarms, don't panic, said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post. "Is any malware truly indestructible? Of course not," he said.

Still, beware. "The TDL rootkit family is, indeed, one of the trickiest rootkits around. The crooks who wrote it are well aware of that: to the best of my knowledge, you can't buy the TDL source code to use with your own malware. It's closed source; proprietary; a trade secret. But you can lease time on a botnet which is built around a TDL rootkit. Think cloud. Think MaaS: Malware as a Service," he said.

Furthermore, the most recent version of TDL is "particularly sneaky," because it can hide files "in a secret, encrypted partition at the end of your hard disk," and launch those files before Windows starts, he said.

But as with any malware, TDL4 eventually gives itself away. For example, in an enterprise setting, Kaspersky Labs said that one way to detect the malware is to watch for any PCs or servers sending outbound DNS requests to resolve server domains, since an HTTP or HTTPS proxy would typically handle domain name lookup requests.

Even so, as cutting-edge botnets such as TDL4 continue to improve, it's yet another reason to protect computers with modern antivirus software, including anti-malware engines, that can block and eradicate these rootkits.

It doesn't pay for small and midsize businesses to protect against security threats faced by only the largest companies. Here's how to focus your efforts on the right threats. Download our all-digital supplement. Download it now.


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-12
The ALPS ALPINE touchpad driver before 8.2206.1717.634, as used on various Dell, HP, and Lenovo laptops, allows attackers to conduct Path Disclosure attacks via a "fake" DLL file.
PUBLISHED: 2020-08-12
Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control.
PUBLISHED: 2020-08-12
search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS.
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS via the error_log file.
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS on the preview page.