Kaspersky security researchers have sounded the alarm over a new botnet that is said to be virtually "indestructible." Known as TDL-4 – the fourth generation of 2008's TDL botnet/malware – the latest strain has reportedly infected more than 4.5 million Windows machines in the first three months of 2011 – and that's not slowing down.
Like previous versions of TDL, the operators of TDL-4 are paying affiliates between $20 and $200 for every 1,000 systems they infect, depending on the location of the victim. Affiliates can accomplish this through any means desired, but they generally prefer to infiltrate PCs via porn, bootleg sites, as well as video and file storage services.
Having developed several versions of the malware over the years, TDL operators have unsurprisingly refined their craft over the years. TDL-4 uses a new encryption algorithm to phone home and it even contains its own built-in antivirus to seek and destroy approximately 20 rival malware programs so they don't interfere with TDL-4's affairs.
TDL-4 has also received a module that allows it to access the Kad network (a peer-to-peer network). Kaspersky believes this is one of the more noteworthy changes because it lets the botnet operators distribute commands across all infected machines with relative ease – even if their primary command and control servers are shut down.
Beyond all of that, TDL-4 is just downright slippery because it resides in a system's MBR, a common approach by malware writers that allows their software to load before Windows and any security software on the machine. Once installed, TDL-4 can download upwards of 30 additional malicious programs – and it obscures them too.
Distribution of TDL-4 infected computers by country
Other extended functionality includes support for 64-bit operations and a proxy server module that facilitates the anonymous viewing of Internet resources via infected machines. "The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and anti-virus companies," Kaspersky said.
Although many researchers were quick to say that TDL-4 is bulletproof, at least one self-proclaimed expert contests otherwise. "As a 24-year veteran of the malware wars, I can safely tell you that no threat has appeared that the antimalware industry and OS vendors did not successfully respond to," writes Roger Grimes of InfoWorld.
"It may take months or years to kill off something, but eventually the good guys get it right," Grimes continued. "With each ratcheting iteration of new malware offense, you had analysts and doomsayers predicting this or that particular malware program would be difficult to impossible to defend against...Yesterday's indestructible virus became tomorrow's historical footnote."