Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Inside Indestructible Botnet, Security Experts See Flaws

The huge TDL4 botnet has snared 4.5 million PCs, as the malware creators pay handsomely for results. But experts say it's sneaky, not unstoppable.

How Firesheep Can Hijack Web Sessions
(click image for larger view)
Slideshow: How Firesheep Can Hijack Web Sessions
According to a new analysis of the TDL4 (aka TDSS) botnet, written by Sergey Golovanov and Igor Soumenkov of Kaspersky Labs and posted on the company's blog, the latest version of the botnet, which debuted in December 2010, now appears to be sold via affiliates, who earn between $20 and $200 for every 1,000 installations of TDL on victims' PCs.

"Affiliates can use any installation method they choose," they said. "Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services." That's a change from before, when the botnet's owners--or members of their own criminal gang--likely infected PCs themselves, rather than farming out the task to others.

How much money could operators of this type of botnet stand to clear? "Nearly one-third of all infected computers are in the United States," said the Kaspersky researchers. "Going on the prices quoted by affiliate programs, this number of infected computers in the U.S. is worth $250,000, a sum which presumably made its way to the creators of TDSS."

Interestingly, the change in business model appeared to have occurred after the authors of the previous version of the botnet, TDL3, sold their source code to someone else. "In December, when analyzing a TDSS sample, we discovered something odd: a TDL3 encrypted disk contained modules of another malicious program, Shiz," said Golovanov and Soumenkov. "At that time, a new affiliate program specializing in search engine redirects had just emerged on the Internet; it belonged to the creators of Shiz, but used TDL3."

"The changes that had been made to the TDL3 configuration and the emergence of a new affiliate marketing program point to the sale of TDL3 source code to cybercriminals who had previously been engaged in the development of Shiz malware," Golovanov and Soumenkov said.

Shiz, which is very similar to malware known as Rohimafo, is a Trojan application able to open a back door to a PC and steal information.

In other words, the creators of Shiv appear to have put their crimeware-creating smarts to work on a new version of TDL4. "The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down," said the Kaspersky researchers. "The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and antivirus companies."

While the prospect of an unstoppable piece of malware able to turn unsuspecting PCs into zombies may raise alarms, don't panic, said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post. "Is any malware truly indestructible? Of course not," he said.

Still, beware. "The TDL rootkit family is, indeed, one of the trickiest rootkits around. The crooks who wrote it are well aware of that: to the best of my knowledge, you can't buy the TDL source code to use with your own malware. It's closed source; proprietary; a trade secret. But you can lease time on a botnet which is built around a TDL rootkit. Think cloud. Think MaaS: Malware as a Service," he said.

Furthermore, the most recent version of TDL is "particularly sneaky," because it can hide files "in a secret, encrypted partition at the end of your hard disk," and launch those files before Windows starts, he said.

But as with any malware, TDL4 eventually gives itself away. For example, in an enterprise setting, Kaspersky Labs said that one way to detect the malware is to watch for any PCs or servers sending outbound DNS requests to resolve server domains, since an HTTP or HTTPS proxy would typically handle domain name lookup requests.

Even so, as cutting-edge botnets such as TDL4 continue to improve, it's yet another reason to protect computers with modern antivirus software, including anti-malware engines, that can block and eradicate these rootkits.

It doesn't pay for small and midsize businesses to protect against security threats faced by only the largest companies. Here's how to focus your efforts on the right threats. Download our all-digital supplement. Download it now.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...