Security Researchers Discover 4 Million Strong ‘Indestructible’ Botnet – TDSS/TDL

The New Acunetix V12 Engine

It’s been recently uncovered that there’s a HUGE botnet, which is extremely advanced and constantly evolving a variant of the ever popular (and usually quite advanced) TDL strain. We did write about a TDL variant earlier in 2010 – TDL AKA Alureon Rootkit Now Infecting 64-Bit Windows 7 Platform.

TDL itself has been around several years, but the new TDSS variant is really sophisticated and comes loaded with anti-virus capabilities to stop the Windows host PC getting infected by other malware or botmasters.

Development has been going on since TDL since 2008 (or perhaps even earlier) and now is on version 4 (TDL-4). You can see how these guys think as they only apportion a part of the CPU resources to their own malware so as to remain undercover.

A new strain of the TDSS malware has been pegged as “the most sophisticated threat” to computer security in the world today by a Kaspersky Labs researcher and is being used to slave more than 4.5 million PCs in a massive botnet that’s equipped with an “anti-virus” to prevent other bot-creating viruses from taking it over.

“TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center,” security expert Sergey Golovanov writes this week a research note in on the SecureList site.

Botnets are networks of malware-infected computers that can be commanded by cybercriminals and hacktivists to conduct such activities as delivering spam, launching distributed denial-of-service attacks to bring down targeted websites, manipulating search results and adware, and facilitating network intrusions to steal sensitive data.

Sophisticated bot-creating programs like TDSS, which according to Golovanov has been under development since 2008 and is now in its fourth version (TDL-4), can harness a portion of the computing power of each system it infects, leaving owners of infected computers with somewhat slower machines but none the wiser as to their participation in a botnet.

There a few distinctive improvements in TDL-4 over previous TDSS generations, the Kaspersky Labs researcher writes. One is that the latest edition of TDSS includes a kind of “anti-virus” that scans a slave bot’s registry for malicious programs that could interfere with a slaved computer’s efficiency or even try to take over the computer to make it part of a rival botnet.

Now this is a fairly huge operation with 4-5 million infected hosts within the botnet, it’s very difficult to remove and in most parts – because of it’s fairly intelligent design – it doesn’t even get spotted in the first place.

The downfall (if it really is) of such a complex piece of malware is that it’s more likely to have coding bugs/exploits contained in it’s own code – this is where security researchers can leverage their own hacking skills to gather more knowledge about the botnet.

“TDSS contains code to remove approximately 20 malicious programs, including Gbot, ZeuS, Clishmic, Optima, etc.,” Golovanov writes. “TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them.

“This ‘antivirus’ actually helps TDSS; on the one hand, it fights cybercrime competition, while on the other hand it protects TDSS and associated malware against undesirable interactions that could be caused by other malware on the infected machine.”

Another advance for TDL-4 is the extent to which it burrows into infected systems, making the botnets it creates “indestructible,” according to the researcher. Other improvements over the previous TDL-3 generation of TDSS malware include the encryption of communications between a botnet operator’s command-and-control servers and the botnet, and the ability to transmit commands to a botnet over the publicly accessible, peer-to-peer Kad network via TDL-4’s kad.dll module.

According to Golovanov, TDL “affiliates” can earn up to $200 when they manage 1,000 installations of the malware on victim computers.

“Affiliates can use any installation method they choose,” he writes. “Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services.”

About a third of the TDL-4-infected computers are in the U.S., according to Golovanov, and about 60 TDL-4 command-and-control centers all around the world have been identified since the beginning of 2011.

Most of the motivation behind such large botnets is of course money, we’ve written before about the Digital Underground Offering Cheap Botnets For Hire and about people getting caught like – Texas Man Pleads Guilty To Bot Network For Hire.

It seems like the main infection vector is still via the browser, people who visit dodgy sites (porn/pirated software etc) with old browsers are getting infected with botnet laden malware like this.

I doubt anyone reading is any danger of infection, but still – it pays to know what is out there.

Source: PC Mag

Posted in: Malware, Windows Hacking

, , ,

Latest Posts:

Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds. - Test SSL Security Including Ciphers, Protocols & Detect Flaws – Test SSL Security Including Ciphers, Protocols & Detect Flaws is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.

3 Responses to Security Researchers Discover 4 Million Strong ‘Indestructible’ Botnet – TDSS/TDL

  1. Xeross July 4, 2011 at 1:31 pm #

    Another advance for TDL-4 is the extent to which it burrows into infected systems, making the botnets it creates “indestructible”.

    This sounds like it embeds itself deeply into the system, yet no elaboration is given, is there just not more known or?

  2. Bogwitch July 4, 2011 at 11:22 pm #


    The primary method of hiding for TDSS is by inserting itself into the MBR. That way it can become active before Windows is loaded, before any AV software is loaded and will also be active if the system is booted in safe mode or normal mode.

    On a wider note, I have seen Microsoft posting that fixing the MBR and performing a full scan should be sufficient to remove the infection. I do not agree. If ANY system is compromised, it should be rebuilt from scratch as you can rarely be sure that the infection has not performed other, unwanted actions. Downloading other malware is one thing that trojans such as TDSS will perform and is (usually) easily detectable. Other, more subtle changes might be harder to spot such as modifying the HOSTS file, changing registry settings or changing the permissions of files or registry keys can assist an attacker to regain a foothold therefore a reformat and reinstall should be the ‘cure’ that is applied to a malware infection.

  3. fixer July 5, 2011 at 9:03 am #

    give me the sauce