New Botnet: The Horror of the Many-Headed Hydra
A newly identified network of malware infected computers uses a special system make it extremely difficult to decapitate, according to security researchers. The TDL-4 botnet uses a decentralized command and control system: Take down one C&C server, and another one springs up somewhere else.
07/01/11 5:00 AM PT
A new malware package is running wild on the Internet, according to Kaspersky Labs, and its creators are attempting to create an indestructible herd of zombified machines.
The botnet has been dubbed "TDL-4," which Kaspersky describes as "the most sophisticated threat today."
The creators use the same methods as legitimate Web-based businesses to spread -- they pay affiliates to install the malware.
TDL-4 protects itself from detection, wipes out the competition, loads lots of other malware packages into victims' computers and leverages the Kad open source public peer to peer (P2P) network to essentially make itself super-resilient.
As for indestructible ... can any malware package be described as such?
"Calling the botnet indestructible is tantamount to calling the Internet unsustainable," Randy Abrams, director of technical education at ESET, told TechNewsWorld.
"I suspect that, in time, we'll discover the 'T' in TDL stands for 'Titanic,' and a currently unseen iceberg will sink it," Abrams added.
Such an iceberg may already have surfaced.
TDL's One Bad Cat
TDL-4 is a bootkit, meaning that it infects a computer's master boot record (MBR), thus ensuring it will run before the operating system starts, Kaspersky said. This ensures a longer malware lifecycle and makes it less visible to most security software.
TDL-4 uses encrypted network connections to ensure the botnet runs smoothly and protect it from network traffic analysis and other botnets, Kaspersky says.
Like any predator, TDL-4 wipes out competitors to ensure it has exclusive rights to its prey. It can wipe out about 20 malware packages, including the Gbot worm, and the banking information-stealing ZeuS Trojan, Kaspersky says.
"It's not new for malware to delete other malware on a system," Jack Walsh, network IPS program manager at ICSA Labs, told TechNewsWorld.
"Eliminating its botnet competitors makes this TDL-4 malware more attractive to cybercriminals looking for malware to use that will help them make a buck," Walsh added.
About one third of the computers infected by TDL-4, or roughly 1.5 million PCs, are in the United States. That's worth US$250,000, based on the prices quoted by affiliate programs, Kaspersky says.
TDL-4 delivers about 30 additional malware packages of its own when it infects a PC.
Indestructible Is a State of Mind
TDL-4 leverages the Kad public peer-to-peer (P2P) network, using a file the malware's authors wrote that creates subnets of infected computers.
The file, which Kaspersky says is named "ktzerules," also ensures that the botnet's owners will retain control over infected computers even when its command and control centers are shut down, making it indestructible, in effect.
That's because the command and control (C&C) of the botnet set up by TDL-4 is decentralized -- take down one C&C server and another one springs up in its stead somewhere else.
"Nothing's indestructible, but a successful takedown would be extremely hard to accomplish," Roel Schouwenberg, senior malware researcher, Kaspersky Labs, told TechNewsWorld.
"The hybrid C&C and P2P architecture means both parts would have to be hit hard and fast," Schouwenberg added. "As such, I don't think a takedown is going to be feasible."
A botnet takeover that "would most likely involve arresting the TDL gang" is needed, but "I don't see this botnet disappearing any time soon," Schouwenberg said.
The TDSS Killer
SurfRight released an update to Hitman Pro, version 3.5.9, to specifically fight rootkits such as TDL 4 earlier in June.
This followed the emergence of "highly advanced rootkits such as Mebroot, Sinowal and TDL-4 who were trying to defeat detection by Hitman Pro," the company stated.
The update collects hard disk miniport driver information from clean computers and stores a fingerprint of this information in the cloud. When Hitman Pro 3.5.9 detects a rootkit hook on a computer's hard disk driver, it consults the cloud on how to work around it.
Hitman Pro 3.5.9 also protects the master boot record (MBR) when restoring MBRs to counter rootkit watchdogs, the company said.