Kaspersky: Massive botnet is 'practically indestructible'

By on June 30, 2011, 6:30 PM

Kaspersky security researchers have sounded the alarm over a new botnet that is said to be virtually "indestructible." Known as TDL-4 -- the fourth generation of 2008's TDL botnet/malware -- the latest strain has reportedly infected more than 4.5 million Windows machines in the first three months of 2011 -- and that's not slowing down.

Like previous versions of TDL, the operators of TDL-4 are paying affiliates between $20 and $200 for every 1,000 systems they infect, depending on the location of the victim. Affiliates can accomplish this through any means desired, but they generally prefer to infiltrate PCs via porn, bootleg sites, as well as video and file storage services.

Having developed several versions of the malware over the years, TDL operators have unsurprisingly refined their craft over the years. TDL-4 uses a new encryption algorithm to phone home and it even contains its own built-in antivirus to seek and destroy approximately 20 rival malware programs so they don't interfere with TDL-4's affairs.

TDL-4 has also received a module that allows it to access the Kad network (a peer-to-peer network). Kaspersky believes this is one of the more noteworthy changes because it lets the botnet operators distribute commands across all infected machines with relative ease -- even if their primary command and control servers are shut down.

Beyond all of that, TDL-4 is just downright slippery because it resides in a system's MBR, a common approach by malware writers that allows their software to load before Windows and any security software on the machine. Once installed, TDL-4 can download upwards of 30 additional malicious programs -- and it obscures them too.

Distribution of TDL-4 infected computers by country

Other extended functionality includes support for 64-bit operations and a proxy server module that facilitates the anonymous viewing of Internet resources via infected machines. "The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and anti-virus companies," Kaspersky said.

Although many researchers were quick to say that TDL-4 is bulletproof, at least one self-proclaimed expert contests otherwise. "As a 24-year veteran of the malware wars, I can safely tell you that no threat has appeared that the antimalware industry and OS vendors did not successfully respond to," writes Roger Grimes of InfoWorld.

"It may take months or years to kill off something, but eventually the good guys get it right," Grimes continued. "With each ratcheting iteration of new malware offense, you had analysts and doomsayers predicting this or that particular malware program would be difficult to impossible to defend against...Yesterday's indestructible virus became tomorrow's historical footnote."




User Comments: 38

Got something to say? Post a comment
gwailo247, TechSpot Chancellor, said:

Today is a day full of synergies...

The cell phone began to ring. The sound of <Insert Top 40 rap song> filled the spacious interior of the Mercedes G55 AMG. The driver rolled his eyes.

The young man in the back seat pulled the iPhone 6 out of his leather jacket, and saw a blocked number. He took the call.

"Ivan Kaspersky."

"Ivan. You remember me?"

His mind raced back to the kidnapping. The he will remember that voice for the rest of his life.

"Yes."

"Good. Activate the TDL-4 botnet."

He knew what would happen if he wouldn't.

"Yes."

The call ended.

The young man, looked into the rear view mirror and met the driver's gaze.

"Turn around, back to headquarters."

At the other end of the line, an old man put the phone down on an oak desk .

"It is done."

The large leather chair on the other side of the desk turned to face him, and sitting in it was the smiling Natalya Kaspersky.

Kaspersky II: Rise of the Botnet. Coming 2012.

superty12 superty12 said:

How to stop: Install a bootloader. Why it works: Installs over virus. System Restore from Safe Mode and it is not there. Indestructable? No.

Guest said:

@superty12 Its not indestructible in that way. They are saying it's difficult to shut down because of its p2p network

Guest said:

If it's infecting the MBR, it should be no problem for SOME XP users to bulletproof their systems.

It's a rather simple process to bulletproof your master boot record (MBR) in windows XP. All it requires a floppy drive, and the ability to boot to it.

What you have to do is copy boot.ini, NTDETECT.COM, and ntldr from your hard drive to the floppy, and open the write protect tab. Then set your machine to boot off the floppy first. Another copy of your floppy can sometimes be used to boot other infected machines for cleaning.

There is no way to get around a floppy's write protection with software, or firmware.

More detailed info on how to actually make the floppy can be found on this page: http://www.spambotsecurity.com/maintenance.php

Guest said:

indestructible is a bit of strong word here. Keep in mind that Kaspersky Lab wants to maybe spread panic in order to sell their products.

Guest said:

Kaspersky had a virus on their own website awhile back...how good of a anti virus is that

Puiu Puiu said:

Guest said:

If it's infecting the MBR, it should be no problem for SOME XP users to bulletproof their systems.

It's a rather simple process to bulletproof your master boot record (MBR) in windows XP. All it requires a floppy drive, and the ability to boot to it.

What you have to do is copy boot.ini, NTDETECT.COM, and ntldr from your hard drive to the floppy, and open the write protect tab. Then set your machine to boot off the floppy first. Another copy of your floppy can sometimes be used to boot other infected machines for cleaning.

There is no way to get around a floppy's write protection with software, or firmware.

More detailed info on how to actually make the floppy can be found on this page: http://www.spambotsecurity.com/maintenance.php

I haven't used or owned a floppy drive for many years and to put them on laptops is a *****. And let's not forget that now more and more users are migrating to win7.

But i've got to admit that on really old computers your method might work.

Lokalaskurar Lokalaskurar said:

@Guest on July 1, 2011, 2:27 AM

Ey, that sounded like a pretty clever idea. Might try it, can't destroy the PC or anything anyway. Hopefully it'll work with 720k floppies as well, I presume.

Guest said:

Here's a Microsofot blog on the malware and how to remove it.

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-wri
e-it-read-it-instead.aspx

freythman freythman said:

puiu said:

Guest said:

If it's infecting the MBR, it should be no problem for SOME XP users to bulletproof their systems.

It's a rather simple process to bulletproof your master boot record (MBR) in windows XP. All it requires a floppy drive, and the ability to boot to it.

What you have to do is copy boot.ini, NTDETECT.COM, and ntldr from your hard drive to the floppy, and open the write protect tab. Then set your machine to boot off the floppy first. Another copy of your floppy can sometimes be used to boot other infected machines for cleaning.

There is no way to get around a floppy's write protection with software, or firmware.

More detailed info on how to actually make the floppy can be found on this page: http://www.spambotsecurity.com/maintenance.php

I haven't used or owned a floppy drive for many years and to put them on laptops is a *****. And let's not forget that now more and more users are migrating to win7.

But i've got to admit that on really old computers your method might work.

You can do the same with a CD...

Guest said:

@Lokalaskurar

I don't know why 720K shouldn't work. I am showing just under 300K used on this 1.44.

Heck, if you really want funny looks from people, dig way deep in the junk box and mount a 5.25 320K floppy and boot off that.

Zap :)

Guest said:

get a mac end of problem, have fun with the indestructible botnet, just bunch of media hype to sell more antivirus, all part of market scam, called windows, .........is the world really coming to a end??? is the sky falling,

cheers

Guest said:

Sure we can all get macs. Once enough people have macs then the ones making the viruses and malware will start writing bugs for macs and we will all realize too late that mac has almost no real protection from viruses. Its only protection right now is that nobody cares to write viruses for its platform.

Guest said:

I would if I did not mind being controlled by Apple ( and could afford it ).

Guest said:

You could do the same with a usb...

Lokalaskurar Lokalaskurar said:

@Lokalaskurar

Heck, if you really want funny looks from people, dig way deep in the junk box and mount a 5.25 320K floppy and boot off that.

Zap

Yeah, I referred to a 720k flippy-floppy - Ever seen one mounted next to a BD-ROM? Great for starting conversations

SNGX1275 SNGX1275, TS Forces Special, said:

Yeah, I referred to a 720k flippy-floppy - Ever seen one mounted next to a BD-ROM? Great for starting conversations

That would be pretty cool. Wonder how many still work though, I would think age would have taken its toll on the media.

I'd have to go the 5.25" route anyway, my floppy opening on my case is filled with one of those 348761 in 1 card readers (well ok, maybe it doesn't read that many types of cards ).

Guest said:

@Guest Sorry dude. The braniacs have run your theory through and through and it just doesn't stack up to the facts. The OSX platform has been increasing for a while now, but the number of viruses for OSX has not increased. The installed based of users and computers grows and the number of viruses for OSX does not. All of these Macs out there, all of these unprotected systems ripe for the bot handler to seize control of and use to make some $$ and yet, no one is infecting these computers. It would be gold rush for these bot handlers to break into the OSX platform and seize control of all of these computers and they haven't done it. It's not because they don't want to or because the Windows computers are easier or larger, it is because they cant break into them and infect them. This has and will remain true about the Mac OS. It has to do with what the OS is built on, and it's not built on Microsoft Windows. We shouldn't even have viruses and the malware problem that we have. That's a Microsoft creation and rests on their shoulders for not scrapping their OS and building it again the right way, with security in mind. It amazes me that so many companies that are so concerned about information security, choose to run their business on the Windows platform.

Lokalaskurar Lokalaskurar said:

Well if there is a way to avoid the 'indestructible virus', I'll take it if necessary. Even if I have to dust off a floppy. (Or a flashdrive, as pointed out).

We're already coming up with ideas on how to stop it, and we're not even part of the 'brainiacs'. I'm with the confident guy at the end of the article.

@SNGX1275: Fact, showed a 720k floppy in class, not even the teacher knew what it was. Not blaming him though, the medium is older than him. Personally have two units, only one works - just had to try it, ended up next to the BD-ROM, indescribable I guess...

red1776 red1776, Omnipotent Ruler of the Universe, said:

Today is a day full of synergies...

The cell phone began to ring. The sound of <Insert Top 40 rap song> filled the spacious interior of the Mercedes G55 AMG. The driver rolled his eyes.

The young man in the back seat pulled the iPhone 6 out of his leather jacket, and saw a blocked number. He took the call.

"Ivan Kaspersky."

"Ivan. You remember me?"

His mind raced back to the kidnapping. The he will remember that voice for the rest of his life.

"Yes."

"Good. Activate the TDL-4 botnet."

He knew what would happen if he wouldn't.

"Yes."

The call ended.

The young man, looked into the rear view mirror and met the driver's gaze.

"Turn around, back to headquarters."

At the other end of the line, an old man put the phone down on an oak desk .

"It is done."

The large leather chair on the other side of the desk turned to face him, and sitting in it was the smiling Natalya Kaspersky.

Kaspersky II: Rise of the Botnet. Coming 2012.

" I was on the edge of my seat!"

"I could not put it down!".......

" Suspenseful and terrifying!"

"Unputdownable"

"Gwailo captures the essence of fear with every page!"

"***** Five stars!"

Guest said:

And what if we already have a Boot Loader installed? You think that would take up enough necessary room to keep TDL from installing?

superty12 superty12 said:

I think it will install over the bootloader. You have to counter with a reinstall.

Lokalaskurar Lokalaskurar said:

Guest said:

And what if we already have a Boot Loader installed? You think that would take up enough necessary room to keep TDL from installing?

It will probably just overwrite the existing bootloader, or replace the necessary files. Think this scenario: if a bootloader would stop it, then why is it dangerous? Every machine needs a bootloader to operate, so every machine it infects already has one.

Guest said:

Why not use a USB "disk" with a physical write protect switch?

example1013 said:

Guest said:

If it's infecting the MBR, it should be no problem for SOME XP users to bulletproof their systems.

It's a rather simple process to bulletproof your master boot record (MBR) in windows XP. All it requires a floppy drive, and the ability to boot to it.

What you have to do is copy boot.ini, NTDETECT.COM, and ntldr from your hard drive to the floppy, and open the write protect tab. Then set your machine to boot off the floppy first. Another copy of your floppy can sometimes be used to boot other infected machines for cleaning.

There is no way to get around a floppy's write protection with software, or firmware.

More detailed info on how to actually make the floppy can be found on this page: http://www.spambotsecurity.com/maintenance.php

What if Kaspersky told you the botnet put tape over the opening?

Archean Archean, TechSpot Paladin, said:

@Lokalaskurar

We (at work) dump all our old equipment and papers in a separate facility located in the suburbs here. I remember seeing couple of old XT computers with 5.25" floppies sitting in a pile of dust and eating termites in a basement over there

Lokalaskurar Lokalaskurar said:

@Archean

Wow, can't say that I've ever heard of carnivorous XT's before!

Archean Archean, TechSpot Paladin, said:

I don't blame them for it, as the fault lies with the keeper, who simply dumped 'tons' of paper around these machines, so you can guess what can happen then .....

In fact I remember a funny story about it, few years ago, when the guard who is supposed to keep this facility 'safe' was napping some 'dacoits' broke in, tied him up and then stuffed dozens of such old PCs (including these XTs) and furniture etc. in a truck (a 2 ton capacity vehicle). But their luck ran out as soon as left the premises and drove the truck in a roadside tree due to bad road conditions (well plainly put that road had huge 'craters' in it where you could easily loose your sheep) and subsequently had to flee on foot. The long and the short of it, everything was returned to the facility, and now still gathering dust, rust and termites (not in this particular order by the way).

red1776 red1776, Omnipotent Ruler of the Universe, said:

We (at work) dump all our old equipment and papers in a separate facility located in the suburbs here.

I'm curious Arch...where is here? (part of the world I mean)

Archean Archean, TechSpot Paladin, said:

That will be something like 8,000 miles from you red

Beside, you've got to forgive my typos in such replies, because I post them from work, hence, that means I may be trying to multitask, which off-course is not an easy thing for men. That is why we need computers :p

red1776 red1776, Omnipotent Ruler of the Universe, said:

That will be something like 8,000 miles from you red

I knew you were going to say that! :p

...8028 mi to be exact mate (well to Auckland anyway )

My wife...(and every other women I know) will tell you that men cannot multi-task period!

Archean Archean, TechSpot Paladin, said:

Well it is 6175 nautical miles :p

So I correct myself, I was only making a wild guess in the first place anyway.

captaincranky captaincranky, TechSpot Addict, said:

Beside, you've got to forgive my typos in such replies, because I post them from work, hence, that means I may be trying to multitask, which off-course is not an easy thing for men.
OK, your "typos" are essentially an entirely different language from that which we speak here.

The wrong word, a homophone, the wrong tense of verb, etc., cannot be called "typos", they are failure to proofread. The saying, "but will it run Crysis", has become an internet "mene"! <<<< (That's a "typo" .

My wife...(and every other women I know) will tell you that men cannot multi-task period!

And the average woman cannot drive a car. An Asian woman, even less so.

So, while they're tryin to drive, talk on the cell phone, and change the channel on the radio, all the while touting their self vaunted ability to multi-task, male interests are best served by staying the f*** away from them. People have 2 hands, and one brain, hence they are best at one task at at time.

If a woman gave me too much s*** about how good she was at multi tasking, I'd hand her a circular saw, and an iron. Then tell her to make me a book shelf while she's ironing my clothes.

Benny26 Benny26, TechSpot Paladin, said:

Red said:

My wife...(and every other women I know) will tell you that men cannot multi-task period!

Sorry to interject here but that's just not true. I for one know that a man can be irritating, sarcastic and obnoxious all at the same time...So that's that argument blown straight out of the water.

Archean said:

Well it is 6175 nautical miles

What?...Here's me thinking all this time you from around Finland or Norway

captaincranky captaincranky, TechSpot Addict, said:

Sorry to interject here but that's just not true. I for one know that a man can be irritating, sarcastic and obnoxious all at the same time...So that's that argument blown straight out of the water.

You forgot, "tyrannical"....

Archean Archean, TechSpot Paladin, said:

@CC

By the way Captain, English is the fourth language I've learned so my grasp over it can't be compared with anyone from your lot. :p

Guest said:

1. A CD-R/RW or DVD-RW can be damaged by a malware-controlled laser in a drive, can't it? If so, there's no way to protect a disk unless it's been physically printed out by expensive equipment (and I'm not sure even that is 100% when a laser is turned up on a printed disc...)

2. USB sticks cannot be physically write-protected, can they?

3. I have a USB floppy drive... however, all of my usb floppies and printers get killed within a few days of being hooked up to infected machines. The noise they make isn't cheerful, it's like the sound of myself chewing gravel. That being said, I have three older computers running XP that have floppy drives, two of which also have ZIP drives in them (which, I believe, *can* be physically write-protected). Haven't used a 720 since I copied all my files over to 3.5" in 1991. :) I always ended up bending them too much, 3.5"s are nice in that they're a bit tougher (and easier to find new). Unfortunately, my favorite floppies (house brand at RadioShack) aren't being carried in the stores anymore. :(

4. I've got TDL4 loading ram hooks (according to the diagnostics in Ubuntu running live from boot) even when there's NO HARD DRIVE (only the live disk for media - no usb sticks, no other drives of ANY sort)... so I'm hoping that the bulletproofing method mentioned above might get me far enough to hook a drive up through USB and finally be able to nuke (low-level multipass format) a hard drive and do a fresh install of XP - DBAN is awesome, except when it, like gparted and fdisk and every other formatting utility, suddenly fails to apply any changes whatsoever and actually DO the formatting. :(

Awesome discussion, glad I found this! For once, something that isn't completely hijacked in my browser!

Venus (veiledvenus on VirusTotal)

mailpup mailpup said:

USB sticks cannot be physically write-protected, can they?
They can if they have a write protect switch. They're not very common anymore, however.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.