Jump to content

Tdl-4 Rootkit Enslaves 4.5M Pcs In 3 Months


Recommended Posts





The latest TDL-4 version of the rootkit, which is used as a persistent backdoor to install other types of malware, infected 4.52 million machines in the first three months of this year, according to a detailed technical analysis published Wednesday by antivirus firm Kaspersky Lab. Almost a third of the compromised machines were located in the United States. With successful attacks on US-based PCs fetching premium fees, those behind the infections likely earned $250,000 on that demographic alone.

TDL-4 is endowed with an array of improvements over TDL-3 and previous versions of the rootkit, which is also known as Alureon or just TDL. As previously reported, it is now able to infect 64-bit versions of Windows by bypassing the OS's kernel mode code signing policy, which was designed to allow drivers to be installed only when they have been digitally signed by a trusted source. Its ability to create ad-hoc DHCP servers on networks also gives the latest version new propagation powers.

"The changes in TDL-4 affected practically all components of the malware and its activity on the web to some extent or other," the Kaspersky researchers wrote in their report. "The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and antivirus companies."


Link to comment
Share on other sites

Here is another article about the TDL-4 Botnet:

TDL-4: The 'indestructible' botnet?

by Don Reisinger, Security researchers at Kaspersky Lab have detailed a new botnet--a collection of infected computers controlled by cybercriminals--called TDL-4, that might just be "indestructible."


TDL-4 gets its name by being the fourth generation of the botnet. In 2008, the original TDL appeared. It has been altered over the last several years. With TDL-4, Kaspersky has found, the malware creators have drastically improved the botnet over its predecessors.


"The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down," Kaspersky wrote on its SecureList blog earlier this week. "The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and antivirus companies."


Central to TDL-4's updates is an improved algorithm that encrypts communications between infected computers and the botnet's command. According to Kaspersky, TDL-4 creates an identifier known as "bsh parameter" that "acts as one of the encryption keys for subsequent connections to the command and control server." Once a request between command and the computer is activated, it's transmitted over an HTTPS connection. According to Kaspersky, that system helps the botnet "run smoothly" and, at the same time, stops anyone else from trying to take control over it.


tdl4_pic13_all_610x375.png Global distribution of TDL-4 infections. According to the country codes to the right, the U.S., India, Indonesia, and Great Britain are tops in infections, according to Kaspersky.


(Credit: Kaspersky Lab) To help safeguard itself from removal, TDL-4 infects a computer's master boot record, thus allowing it to run before the operating system starts up, and keep it away from the prying eyes of anti-malware programs. What's more, the botnet deletes other malicious files that might get caught by security tools and tip users to TDL-4 running on their computers. In their place, TDL-4 has downloaded about 30 malicious programs on infected computers, including "fake anti-virus programs, adware, and the Pushdo spambot," Kaspersky says.


According to Kaspersky, the botnet also uses peer-to-peer network Kad to issue several commands, including searching for new files, publishing files to Kad, and more.


The big upshot of that for TDL-4 creators, Kaspersky says, is that even if "its command and control centers are shut down, the botnet owners will not lose control over infected machines," since they'll still be able to access Kad.


Although Kaspersky believes TDL-4 is practically impenetrable, not everyone is so quick to agree. Writing for InfoWorld today, Roger Grimes, a self-described "24-year veteran of the malware wars," says that there has yet to be a single threat that has been able to hold its ground indefinitely.


"I can safely tell you that no threat has appeared that the antimalware industry and OS vendors did not successfully respond to," Grimes writes. "It may take months or years to kill off something, but eventually the good guys get it right."


He makes a solid point. Last year, Conficker was taken down after wreaking havoc on computers worldwide since 2008. Earlier this month, the FBI announced that it had taken down the Coreflood botnet.


But TDL-4's functionality might just be in a league of its own. As Kaspersky notes, the botnet can "manipulate adware and search engines, provide anonymous Internet access, and act as a launch pad for other malware."


According to Kaspersky, 28 percent of all infected TDL-4 computers are in the U.S. Computers in the U.K., Italy, France, and many other countries are also infected with TDL-4. All told, more than 4.5 million computers were infected with TDL-4 in the first three months of 2011 alone.



Read more: http://news.cnet.com.../#ixzz1QpkmEzeg

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...