04 July 2011 | 12,385 views

Security Researchers Discover 4 Million Strong ‘Indestructible’ Botnet – TDSS/TDL

Check Your Web Security with Acunetix

It’s been recently uncovered that there’s a HUGE botnet, which is extremely advanced and constantly evolving a variant of the ever popular (and usually quite advanced) TDL strain. We did write about a TDL variant earlier in 2010 – TDL AKA Alureon Rootkit Now Infecting 64-Bit Windows 7 Platform.

TDL itself has been around several years, but the new TDSS variant is really sophisticated and comes loaded with anti-virus capabilities to stop the Windows host PC getting infected by other malware or botmasters.

Development has been going on since TDL since 2008 (or perhaps even earlier) and now is on version 4 (TDL-4). You can see how these guys think as they only apportion a part of the CPU resources to their own malware so as to remain undercover.

A new strain of the TDSS malware has been pegged as “the most sophisticated threat” to computer security in the world today by a Kaspersky Labs researcher and is being used to slave more than 4.5 million PCs in a massive botnet that’s equipped with an “anti-virus” to prevent other bot-creating viruses from taking it over.

“TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center,” security expert Sergey Golovanov writes this week a research note in on the SecureList site.

Botnets are networks of malware-infected computers that can be commanded by cybercriminals and hacktivists to conduct such activities as delivering spam, launching distributed denial-of-service attacks to bring down targeted websites, manipulating search results and adware, and facilitating network intrusions to steal sensitive data.

Sophisticated bot-creating programs like TDSS, which according to Golovanov has been under development since 2008 and is now in its fourth version (TDL-4), can harness a portion of the computing power of each system it infects, leaving owners of infected computers with somewhat slower machines but none the wiser as to their participation in a botnet.

There a few distinctive improvements in TDL-4 over previous TDSS generations, the Kaspersky Labs researcher writes. One is that the latest edition of TDSS includes a kind of “anti-virus” that scans a slave bot’s registry for malicious programs that could interfere with a slaved computer’s efficiency or even try to take over the computer to make it part of a rival botnet.

Now this is a fairly huge operation with 4-5 million infected hosts within the botnet, it’s very difficult to remove and in most parts – because of it’s fairly intelligent design – it doesn’t even get spotted in the first place.

The downfall (if it really is) of such a complex piece of malware is that it’s more likely to have coding bugs/exploits contained in it’s own code – this is where security researchers can leverage their own hacking skills to gather more knowledge about the botnet.


“TDSS contains code to remove approximately 20 malicious programs, including Gbot, ZeuS, Clishmic, Optima, etc.,” Golovanov writes. “TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them.

“This ‘antivirus’ actually helps TDSS; on the one hand, it fights cybercrime competition, while on the other hand it protects TDSS and associated malware against undesirable interactions that could be caused by other malware on the infected machine.”

Another advance for TDL-4 is the extent to which it burrows into infected systems, making the botnets it creates “indestructible,” according to the researcher. Other improvements over the previous TDL-3 generation of TDSS malware include the encryption of communications between a botnet operator’s command-and-control servers and the botnet, and the ability to transmit commands to a botnet over the publicly accessible, peer-to-peer Kad network via TDL-4′s kad.dll module.

According to Golovanov, TDL “affiliates” can earn up to $200 when they manage 1,000 installations of the malware on victim computers.

“Affiliates can use any installation method they choose,” he writes. “Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services.”

About a third of the TDL-4-infected computers are in the U.S., according to Golovanov, and about 60 TDL-4 command-and-control centers all around the world have been identified since the beginning of 2011.

Most of the motivation behind such large botnets is of course money, we’ve written before about the Digital Underground Offering Cheap Botnets For Hire and about people getting caught like – Texas Man Pleads Guilty To Bot Network For Hire.

It seems like the main infection vector is still via the browser, people who visit dodgy sites (porn/pirated software etc) with old browsers are getting infected with botnet laden malware like this.

I doubt anyone reading is any danger of infection, but still – it pays to know what is out there.

Source: PC Mag



Recent in Malware:
- Microsoft’s Anti-Malware Action Cripples Dynamic DNS Service No-IP
- Pirated ‘Watch Dogs’ Game Made A Bitcoin Mining Botnet
- Hook Analyser 3.1 – Malware Analysis Tool

Related Posts:
- Torpig Botnet Hijacking Reveals 70GB Of Stolen Data
- Conficker Day – April 1st – Uneventful
- Nugache – The Next Big Storm?

Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,288 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,434 views
- US considers banning DRM rootkits – Sony BMG - 44,922 views

Low-cost VPS Hosting

3 Responses to “Security Researchers Discover 4 Million Strong ‘Indestructible’ Botnet – TDSS/TDL”

  1. Xeross 4 July 2011 at 1:31 pm Permalink

    Another advance for TDL-4 is the extent to which it burrows into infected systems, making the botnets it creates “indestructible”.

    This sounds like it embeds itself deeply into the system, yet no elaboration is given, is there just not more known or?

  2. Bogwitch 4 July 2011 at 11:22 pm Permalink

    @Xeross,

    The primary method of hiding for TDSS is by inserting itself into the MBR. That way it can become active before Windows is loaded, before any AV software is loaded and will also be active if the system is booted in safe mode or normal mode.

    On a wider note, I have seen Microsoft posting that fixing the MBR and performing a full scan should be sufficient to remove the infection. I do not agree. If ANY system is compromised, it should be rebuilt from scratch as you can rarely be sure that the infection has not performed other, unwanted actions. Downloading other malware is one thing that trojans such as TDSS will perform and is (usually) easily detectable. Other, more subtle changes might be harder to spot such as modifying the HOSTS file, changing registry settings or changing the permissions of files or registry keys can assist an attacker to regain a foothold therefore a reformat and reinstall should be the ‘cure’ that is applied to a malware infection.

  3. fixer 5 July 2011 at 9:03 am Permalink

    give me the sauce