{"id":3141,"date":"2011-07-04T12:06:26","date_gmt":"2011-07-04T11:06:26","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=3141"},"modified":"2015-09-09T19:37:11","modified_gmt":"2015-09-09T11:37:11","slug":"security-researchers-discover-4-million-strong-indestructible-botnet-tdsstdl","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2011\/07\/security-researchers-discover-4-million-strong-indestructible-botnet-tdsstdl\/","title":{"rendered":"Security Researchers Discover 4 Million Strong ‘Indestructible’ Botnet – TDSS\/TDL"},"content":{"rendered":"

It’s been recently uncovered that there’s a HUGE botnet, which is extremely advanced and constantly evolving a variant of the ever popular (and usually quite advanced) TDL<\/a> strain. We did write about a TDL variant earlier in 2010 – TDL AKA Alureon Rootkit Now Infecting 64-Bit Windows 7 Platform<\/a>.<\/p>\n

TDL itself has been around several years, but the new TDSS variant is really sophisticated and comes loaded with anti-virus capabilities to stop the Windows<\/a> host PC getting infected by other malware or botmasters.<\/p>\n

Development has been going on since TDL since 2008 (or perhaps even earlier) and now is on version 4 (TDL-4). You can see how these guys think as they only apportion a part of the CPU resources to their own malware<\/a> so as to remain undercover.<\/p>\n

A new strain of the TDSS malware has been pegged as “the most sophisticated threat” to computer security in the world today by a Kaspersky Labs researcher and is being used to slave more than 4.5 million PCs in a massive botnet that’s equipped with an “anti-virus” to prevent other bot-creating viruses from taking it over.<\/p>\n

“TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center,” security expert Sergey Golovanov writes this week a research note in on the SecureList site.<\/p>\n

Botnets are networks of malware-infected computers that can be commanded by cybercriminals and hacktivists to conduct such activities as delivering spam, launching distributed denial-of-service attacks to bring down targeted websites, manipulating search results and adware, and facilitating network intrusions to steal sensitive data.<\/p>\n

Sophisticated bot-creating programs like TDSS, which according to Golovanov has been under development since 2008 and is now in its fourth version (TDL-4), can harness a portion of the computing power of each system it infects, leaving owners of infected computers with somewhat slower machines but none the wiser as to their participation in a botnet.<\/p>\n

There a few distinctive improvements in TDL-4 over previous TDSS generations, the Kaspersky Labs researcher writes. One is that the latest edition of TDSS includes a kind of “anti-virus” that scans a slave bot’s registry for malicious programs that could interfere with a slaved computer’s efficiency or even try to take over the computer to make it part of a rival botnet. <\/p><\/blockquote>\n

Now this is a fairly huge operation with 4-5 million infected hosts within the botnet<\/a>, it’s very difficult to remove and in most parts – because of it’s fairly intelligent design – it doesn’t even get spotted in the first place.<\/p>\n

The downfall (if it really is) of such a complex piece of malware is that it’s more likely to have coding bugs\/exploits contained in it’s own code – this is where security researchers can leverage their own hacking skills to gather more knowledge about the botnet.<\/p>\n