Sophisticated TDL-4 Botnet Has 4.5 Million Infected Zombies

Kaspersky researchers uncovered a sophisticated botnet that relies on rootkits, encryption and antivirus technology to be virtually "indestructible."

Researchers have uncovered a sophisticated and decentralized botnet that combines encryption and rootkit capabilities to make it practically invisible to infected machines.

The TDL-4 bootkit infects the master boot record on a computer so that it can launch before the operating system even starts, making it invisible to the operating system and antivirus software, Sergey Golovanov, a malware researcher at Kaspersky Lab, wrote June 27 on the SecureList blog. While MBR-malware is nothing new, TDL-4 has a number of unique capabilities, including an encryption algorithm that hides the botnet's communications from network traffic analysis tools.

A variant of TDSS, which has been around since 2008, TDL-4 appears to be an upgrade of the previous version TDL-3. The botnet's command-and-control servers can communicate with its army using an encrypted method to hide what it's doing from network monitors. The customized encryption algorithm appears to use the domain names of the C&C servers as the encryption keys, according to Golovanov's analysis.

TDL-4 "is one of the most technologically sophisticated and most complex to analyze malware," Golovanov wrote.

Unlike Rustock, Coreflood or a number of other botnets, TDL-4 doesn't rely overmuch on centralized C&C servers to pass instructions to its zombie army. The zombies can also pass along instructions to other machines using a public Kad peer-to-peer network if the servers are for some reason unavailable, creating a "decentralized server-less botnet," said Golovanov.

TDL is often found on adult content sites, bootleg Websites, and video and file storage services, according to Golovanov. Once a computer is infected with TLD-4, the malware downloads and installs other malicious software such as adware and spambots and hides those from security software as well.

Since TDL-4 loads when the computer is booting, before the operating system launches and lives in the master boot record on the hard drive, it's difficult for antivirus software to detect the malware. In the first three months of 2011, it infected 4,524,488 computers around the world. Approximately a third of them are based in the United States.

"Nothing is impossible. But they can definitely try to make it very hard," Roel Schouwenberg, senior antivirus researcher at Kasperksy Lab, told eWEEK. The malware also has low-level access to the system since it loads before the operating system, he said.

There appears to be no infected machines in Russia. This may be because the affiliate programs don't get paid for infecting computers located in Russia, according to Golovanov. There are nearly 60 C&C servers around the world, but the IP addresses appear to be "constantly changing," Golovanov said.

In order to ensure that the botnet owners don't lose control of the zombies to a competing botnet, the rootkit has its own version of an antivirus program to scan for other types of malware that may be downloaded to the computer. It can detect and delete about 20 of the most prolific packages, including Gbot and Zeus.

"The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors and antivirus companies," Golovanov wrote.

Nothing is ever indestructible in the security world, but the botnet's level of complexity and sophistication assures the botnet owners a profitable operation for now while security vendors try to figure out a defense. An affiliate can earn anywhere from $20 to $200 for every 1,000 machines it helps infect with TDL, according to Golovanov.

Cyber-criminals are also offering a $100-a-month service to create proxy servers using infected machines, along with a Firefox add-on to make it easy to toggle between proxies within the browser.

Other features include a driver to run on 64-bit systems and a module to fraudulently manipulate advertising systems and search engines using fake click and traffic techniques.

Proving that even cyber-criminals can make mistakes, Kaspersky researchers found bugs in the code, allowing them access to three different MySQL databases located in Moldova, Lithuania, and the U.S. to determine how many machines had been infected. The bugs are also helping researchers investigate the creators.