Security researchers at Kaspersky Lab have detailed a new botnet–a collection of infected computers controlled by cybercriminals–called TDL-4, that might just be “indestructible.”
TDL-4 gets its name by being the fourth generation of the botnet. In 2008, the original TDL appeared. It has been altered over the last several years. With TDL-4, Kaspersky has found, the malware creators have drastically improved the botnet over its predecessors.
“The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down,” Kaspersky wrote on its SecureList blog earlier this week. “The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies.”
Central to TDL-4’s updates is an improved algorithm that encrypts communications between infected computers and the botnet’s command. According to Kaspersky, TDL-4 creates an identifier known as “bsh parameter” that “acts as one of the encryption keys for subsequent connections to the command and control server.” Once a request between command and the computer is activated, it’s transmitted over an HTTPS connection. According to Kaspersky, that system helps the botnet “run smoothly” and, at the same time, stops anyone else from trying to take control over it.
To help safeguard itself from removal, TDL-4 infects a computer’s master boot record, thus allowing it to run before the operating system starts up, and keep it away from the prying eyes of anti-malware programs. What’s more, the botnet deletes other malicious files that might get caught by security tools and tip users to TDL-4 running on their computers. In their place, TDL-4 has downloaded about 30 malicious programs on infected computers, including “fake anti-virus programs, adware, and the Pushdo spambot,” Kaspersky says.
According to Kaspersky, the botnet also uses peer-to-peer network Kad to issue several commands, including searching for new files, publishing files to Kad, and more.
The big upshot of that for TDL-4 creators, Kaspersky says, is that even if “its command and control centers are shut down, the botnet owners will not lose control over infected machines,” since they’ll still be able to access Kad.
Although Kaspersky believes TDL-4 is practically impenetrable, not everyone is so quick to agree. Writing for InfoWorld today, Roger Grimes, a self-described “24-year veteran of the malware wars,” says that there has yet to be a single threat that has been able to hold its ground indefinitely.
“I can safely tell you that no threat has appeared that the antimalware industry and OS vendors did not successfully respond to,” Grimes writes. “It may take months or years to kill off something, but eventually the good guys get it right.”
He makes a solid point. Last year, Conficker was taken down after wreaking havoc on computers worldwide since 2008. Earlier this month, the FBI announced that it had taken down the Coreflood botnet.
But TDL-4’s functionality might just be in a league of its own. As Kaspersky notes, the botnet can “manipulate adware and search engines, provide anonymous Internet access, and act as a launch pad for other malware.”
According to Kaspersky, 28 percent of all infected TDL-4 computers are in the U.S. Computers in the U.K., Italy, France, and many other countries are also infected with TDL-4. All told, more than 4.5 million computers were infected with TDL-4 in the first three months of 2011 alone.