Kaspersky researchers uncovered a sophisticated botnet that relies on rootkits, encryption and antivirus technology to be virtually "indestructible."
Researchers have uncovered a
sophisticated and decentralized botnet that combines encryption and rootkit
capabilities to make it practically invisible to infected machines.
The TDL-4 bootkit infects
the master boot record on a computer so that it can launch before the operating
system even starts, making it invisible to the operating system and antivirus
software, Sergey Golovanov, a malware researcher at Kaspersky Lab, wrote June
27 on the SecureList
blog. While MBR-malware
is nothing new, TDL-4 has a
number of unique capabilities, including an encryption algorithm that hides the
botnet's communications from network traffic analysis tools.
A variant of TDSS, which has
been around since 2008, TDL-4 appears to be an upgrade of the previous version
TDL-3. The botnet's command-and-control servers can communicate with its army using
an encrypted method to hide what it's doing from network monitors. The
customized encryption algorithm appears to use the domain names of the C&C
servers as the encryption keys, according to Golovanov's analysis.
TDL-4 "is one of the
most technologically sophisticated and most complex to analyze malware,"
or a number of other
botnets, TDL-4 doesn't rely overmuch on centralized C&C servers to pass
instructions to its zombie army. The zombies can also pass along instructions
to other machines using a public Kad peer-to-peer network if the servers are
for some reason unavailable, creating a "decentralized server-less
botnet," said Golovanov.
TDL is often found on adult
content sites, bootleg Websites, and video and file storage services, according
to Golovanov. Once a computer is infected with TLD-4, the malware downloads and
installs other malicious software such as adware and spambots and hides those
from security software as well.
Since TDL-4 loads when the
computer is booting, before the operating system launches and lives in the
master boot record on the hard drive, it's difficult for antivirus software to
detect the malware. In the first three months of 2011, it infected 4,524,488
computers around the world. Approximately a third of them are based in the
"Nothing is impossible. But
they can definitely try to make it very hard," Roel Schouwenberg, senior
antivirus researcher at Kasperksy Lab, told eWEEK
. The malware also has
low-level access to the system since it loads before the operating system, he
There appears to be no
infected machines in Russia. This may be because the affiliate programs don't
get paid for infecting computers located in Russia, according to Golovanov.
There are nearly 60 C&C servers around the world, but the IP addresses
appear to be "constantly changing," Golovanov said.
In order to ensure that the
botnet owners don't lose control of the zombies to a competing botnet, the
rootkit has its own version of an antivirus program to scan for other types of
malware that may be downloaded to the computer. It can detect and delete about
20 of the most prolific packages, including Gbot and Zeus.
"The owners of TDL are
essentially trying to create an 'indestructible' botnet that is protected
against attacks, competitors and antivirus companies," Golovanov wrote.
Nothing is ever
indestructible in the security world, but the botnet's level of complexity and
sophistication assures the botnet owners a profitable operation for now while
security vendors try to figure out a defense. An affiliate can earn anywhere
from $20 to $200 for every 1,000 machines it helps infect with TDL, according
Cyber-criminals are also
offering a $100-a-month service to create proxy servers using infected
machines, along with a Firefox add-on to make it easy to toggle between proxies
within the browser.
Other features include a
driver to run on 64-bit systems and a module to fraudulently manipulate
advertising systems and search engines using fake click and traffic techniques.
Proving that even
cyber-criminals can make mistakes, Kaspersky researchers found bugs in the
code, allowing them access to three different MySQL databases located in
Moldova, Lithuania, and the U.S. to determine how many machines had been
infected. The bugs are also helping researchers investigate the creators.