The not so “indestructible” botnet

Date: August 30th, 2011
Author: Good Peace

Kaspersky Lab announced that a new botnet (an array of infected computers controlled by criminals), called TDL-4 is a serious attempt at making the botnet “indestructible”.

TDL-4 is the fourth generation of the botnet. The first TDL was born in 2008 and has been modified several times over the last years. Kaspersky announced that they have found that TDL-4 is colossal improvement over its predecessors.

On the SecureListblog experts wrote that:

The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down. The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies.”

According to Kaspersky Lab, an integral part of the TDL-4 upgrades is the improved encryption algorithm for the communications between the controlled computers and the botnet’s command.

To protect itself against anti-malware software, TDL-4 infects the master boot record, allowing it to run before the OS. What is even more interesting is that TDL-4 deletes other malicious files, thus preventing the AV software from alerting the user of the presence of any problems.

TDL-4 downloads fake AV programs, adware and a spambot known as Pushdo.

The biggest feature of TDL-4 is the fact that it uses the Kad network. Now botnets controlled through P2P are not something new, but most of the time they use protocol connections created by the cybercriminals. However, using a public P2P network to control the bontet is a whole different approach. Basically the botnet issues a command to create a new Kad P2P whose clients are only infected computers.

However, the most interesting part of TDL-4 is not its colossal improvement in comparison to its predecessors, it’s the panic that it caused. In the article on SecureList, the main accent was on the fact that:

The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies.”

However, most reviewers either did not read the entire article (big mistake) or misinterpreted that particular sentence. The internet was flooded with articles which stated that the malware was indestructible and stuff like that, which is not true. TDL-4 is destructible. In fact, Kaspersky’s TDSS Killer can kill it quite easy.

In conclusion, we must state that we find it quite disturbing that the numerous recent attacks performed by various hacker groups have brought up so many insecurities not only among ordinary computer users, but among high-rated and respected media.

VN:F [1.9.18_1163]
Rating: 0.0/10 (0 votes cast)

Leave a Reply