The Indestructible Botnet: TDL-4
Posted by Joe Purcell
As one article cites a report by Symantec which shows that the volume of spam has decreased by 90% over the past year, from 225 billion emails a day to 25 billion, and certainly much of this can be accredited to corporate and governmental action. Even so, the botnet business is lucrative one.
The Rustock botnet was taken down this March after running 5 years in Operation b107 executed by Microsoft, FireEye, Pfizer, University of Washington, and federal agents. It had infected some 2 million Windows machines each able to send 30 billion emails a day. Yet, there are others like Rustock which implement rootkit technology, namely, the TDSS.
The TDSS technology debut was in 2008 and has since evolved. The latest version is termed TDL-4 and has raised a lot of flags in the tech world. It is fourth generation TDSS technology which embeds itself into the Master Boot Record (MBR) to ensure it is loaded with the OS and infects the drivers of Windows systems which makes it very difficult to detect. TDL-4 can infect both 32 and 64 bit systems and bypasses the Windows’ code integrity mechanism. The program has its own encrypted file system, removes competing malware, uses encrypted communication to other bots, and most importantly, it doesn’t rely on a central command server.
TDL-4 is a highly evolved program that is adapting to survive in the current environment of botnet take downs. As one article rightly states, “TDL-4 will continue to confound and frustrate security experts for years most likely. But this too shall pass.” Administrators and users alike ought to be aware of Kaspersky’s TDSSKiller which will remove all TDL variations as well as stay on top of what affiliate programs are carrying TDSS malware. It will certainly be an interesting road as networks seek to build resistance to these next generation threats.
About the Author: Joe Purcell is a technology virtuoso, cyberspace frontiersman, and connoisseur of Linux, Mac, and Windows alike.