Sponsored By

Inside Indestructible Botnet, Security Experts See Flaws

The huge TDL4 botnet has snared 4.5 million PCs, as the malware creators pay handsomely for results. But experts say it's sneaky, not unstoppable.

Mathew J. Schwartz

July 1, 2011

4 Min Read

How Firesheep Can Hijack Web Sessions

How FiresheepCan Hijack Web Sessions

(click image for larger view)
Slideshow: How Firesheep Can Hijack Web Sessions

According to a new analysis of the TDL4 (aka TDSS) botnet, written by Sergey Golovanov and Igor Soumenkov of Kaspersky Labs and posted on the company's blog, the latest version of the botnet, which debuted in December 2010, now appears to be sold via affiliates, who earn between $20 and $200 for every 1,000 installations of TDL on victims' PCs.

"Affiliates can use any installation method they choose," they said. "Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services." That's a change from before, when the botnet's owners--or members of their own criminal gang--likely infected PCs themselves, rather than farming out the task to others.

How much money could operators of this type of botnet stand to clear? "Nearly one-third of all infected computers are in the United States," said the Kaspersky researchers. "Going on the prices quoted by affiliate programs, this number of infected computers in the U.S. is worth $250,000, a sum which presumably made its way to the creators of TDSS."

Interestingly, the change in business model appeared to have occurred after the authors of the previous version of the botnet, TDL3, sold their source code to someone else. "In December, when analyzing a TDSS sample, we discovered something odd: a TDL3 encrypted disk contained modules of another malicious program, Shiz," said Golovanov and Soumenkov. "At that time, a new affiliate program specializing in search engine redirects had just emerged on the Internet; it belonged to the creators of Shiz, but used TDL3."

"The changes that had been made to the TDL3 configuration and the emergence of a new affiliate marketing program point to the sale of TDL3 source code to cybercriminals who had previously been engaged in the development of Shiz malware," Golovanov and Soumenkov said.

Shiz, which is very similar to malware known as Rohimafo, is a Trojan application able to open a back door to a PC and steal information.

In other words, the creators of Shiv appear to have put their crimeware-creating smarts to work on a new version of TDL4. "The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down," said the Kaspersky researchers. "The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and antivirus companies."

While the prospect of an unstoppable piece of malware able to turn unsuspecting PCs into zombies may raise alarms, don't panic, said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post. "Is any malware truly indestructible? Of course not," he said.

Still, beware. "The TDL rootkit family is, indeed, one of the trickiest rootkits around. The crooks who wrote it are well aware of that: to the best of my knowledge, you can't buy the TDL source code to use with your own malware. It's closed source; proprietary; a trade secret. But you can lease time on a botnet which is built around a TDL rootkit. Think cloud. Think MaaS: Malware as a Service," he said.

Furthermore, the most recent version of TDL is "particularly sneaky," because it can hide files "in a secret, encrypted partition at the end of your hard disk," and launch those files before Windows starts, he said.

But as with any malware, TDL4 eventually gives itself away. For example, in an enterprise setting, Kaspersky Labs said that one way to detect the malware is to watch for any PCs or servers sending outbound DNS requests to resolve server domains, since an HTTP or HTTPS proxy would typically handle domain name lookup requests.

Even so, as cutting-edge botnets such as TDL4 continue to improve, it's yet another reason to protect computers with modern antivirus software, including anti-malware engines, that can block and eradicate these rootkits.

It doesn't pay for small and midsize businesses to protect against security threats faced by only the largest companies. Here's how to focus your efforts on the right threats. Download our all-digital supplement. Download it now.

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights