A newly-discovered botnet is 'practically indestructible', security researchers say.
TDL-4 is the rootkit component of the TDSS malware, which has been around since 2008. But in the three months since it hit the scene, it's sucked in more than four and a half million PCs around the world. About a third are based in the US.
And in this, its latest incarnation, it has the cheek to include its own version of an anti-virus capability, which scans slave machines for software that could enable it to be taken over by another botnet.
It can now delete around 20 of the world's most prolific malware packages, including Gbot, ZeuS and Optima.
It has its own encryption method for communication between infected computers and the command and control servers, and can also use a public peer-to-peer network to sending commands to control infected computers.
Kaspersky Labs has published a detailed analysis of TDL-4.
"The changes in TDL-4 affected practically all components of the malware and its activity on the web to some extent or other. The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down," says Kaspersky researcher Sergey Golovanov.
"The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies."
It's a nice little earner for some. Golovanov says that it's spread by affiliates who can earn as much as $200 for every 1,000 installations.
"we have reason to believe that TDSS will continue to evolve," he says.
"The fact that TDL-4 code shows active development — a rootkit for 64-bit systems, the malware running prior to operating system start launches, the use of exploits from Stuxnet’s arsenal, P2P technology, its own ‘antivirus’ and a lot more — place TDSS firmly in the ranks of the most technologically sophisticated, and most complex to analyze, malware."