Security Researchers Discover 4 Million Strong ‘Indestructible’ Botnet – TDSS/TDL

Keep on Guard!


It’s been recently uncovered that there’s a HUGE botnet, which is extremely advanced and constantly evolving a variant of the ever popular (and usually quite advanced) TDL strain. We did write about a TDL variant earlier in 2010 – TDL AKA Alureon Rootkit Now Infecting 64-Bit Windows 7 Platform.

TDL itself has been around several years, but the new TDSS variant is really sophisticated and comes loaded with anti-virus capabilities to stop the Windows host PC getting infected by other malware or botmasters.

Development has been going on since TDL since 2008 (or perhaps even earlier) and now is on version 4 (TDL-4). You can see how these guys think as they only apportion a part of the CPU resources to their own malware so as to remain undercover.

A new strain of the TDSS malware has been pegged as “the most sophisticated threat” to computer security in the world today by a Kaspersky Labs researcher and is being used to slave more than 4.5 million PCs in a massive botnet that’s equipped with an “anti-virus” to prevent other bot-creating viruses from taking it over.

“TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center,” security expert Sergey Golovanov writes this week a research note in on the SecureList site.

Botnets are networks of malware-infected computers that can be commanded by cybercriminals and hacktivists to conduct such activities as delivering spam, launching distributed denial-of-service attacks to bring down targeted websites, manipulating search results and adware, and facilitating network intrusions to steal sensitive data.

Sophisticated bot-creating programs like TDSS, which according to Golovanov has been under development since 2008 and is now in its fourth version (TDL-4), can harness a portion of the computing power of each system it infects, leaving owners of infected computers with somewhat slower machines but none the wiser as to their participation in a botnet.

There a few distinctive improvements in TDL-4 over previous TDSS generations, the Kaspersky Labs researcher writes. One is that the latest edition of TDSS includes a kind of “anti-virus” that scans a slave bot’s registry for malicious programs that could interfere with a slaved computer’s efficiency or even try to take over the computer to make it part of a rival botnet.

Now this is a fairly huge operation with 4-5 million infected hosts within the botnet, it’s very difficult to remove and in most parts – because of it’s fairly intelligent design – it doesn’t even get spotted in the first place.

The downfall (if it really is) of such a complex piece of malware is that it’s more likely to have coding bugs/exploits contained in it’s own code – this is where security researchers can leverage their own hacking skills to gather more knowledge about the botnet.


“TDSS contains code to remove approximately 20 malicious programs, including Gbot, ZeuS, Clishmic, Optima, etc.,” Golovanov writes. “TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them.

“This ‘antivirus’ actually helps TDSS; on the one hand, it fights cybercrime competition, while on the other hand it protects TDSS and associated malware against undesirable interactions that could be caused by other malware on the infected machine.”

Another advance for TDL-4 is the extent to which it burrows into infected systems, making the botnets it creates “indestructible,” according to the researcher. Other improvements over the previous TDL-3 generation of TDSS malware include the encryption of communications between a botnet operator’s command-and-control servers and the botnet, and the ability to transmit commands to a botnet over the publicly accessible, peer-to-peer Kad network via TDL-4’s kad.dll module.

According to Golovanov, TDL “affiliates” can earn up to $200 when they manage 1,000 installations of the malware on victim computers.

“Affiliates can use any installation method they choose,” he writes. “Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services.”

About a third of the TDL-4-infected computers are in the U.S., according to Golovanov, and about 60 TDL-4 command-and-control centers all around the world have been identified since the beginning of 2011.

Most of the motivation behind such large botnets is of course money, we’ve written before about the Digital Underground Offering Cheap Botnets For Hire and about people getting caught like – Texas Man Pleads Guilty To Bot Network For Hire.

It seems like the main infection vector is still via the browser, people who visit dodgy sites (porn/pirated software etc) with old browsers are getting infected with botnet laden malware like this.

I doubt anyone reading is any danger of infection, but still – it pays to know what is out there.

Source: PC Mag

Posted in: Malware, Windows Hacking

, , ,


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


3 Responses to Security Researchers Discover 4 Million Strong ‘Indestructible’ Botnet – TDSS/TDL

  1. Xeross July 4, 2011 at 1:31 pm #

    Another advance for TDL-4 is the extent to which it burrows into infected systems, making the botnets it creates “indestructible”.

    This sounds like it embeds itself deeply into the system, yet no elaboration is given, is there just not more known or?

  2. Bogwitch July 4, 2011 at 11:22 pm #

    @Xeross,

    The primary method of hiding for TDSS is by inserting itself into the MBR. That way it can become active before Windows is loaded, before any AV software is loaded and will also be active if the system is booted in safe mode or normal mode.

    On a wider note, I have seen Microsoft posting that fixing the MBR and performing a full scan should be sufficient to remove the infection. I do not agree. If ANY system is compromised, it should be rebuilt from scratch as you can rarely be sure that the infection has not performed other, unwanted actions. Downloading other malware is one thing that trojans such as TDSS will perform and is (usually) easily detectable. Other, more subtle changes might be harder to spot such as modifying the HOSTS file, changing registry settings or changing the permissions of files or registry keys can assist an attacker to regain a foothold therefore a reformat and reinstall should be the ‘cure’ that is applied to a malware infection.

  3. fixer July 5, 2011 at 9:03 am #

    give me the sauce