[LINK] TLD-4 Botnet

stephen at melbpc.org.au stephen at melbpc.org.au
Thu Jun 30 22:02:34 AEST 2011 

Massive botnet 'indestructible,' say researchers

A 4.5 million strong botnet 'most sophisticated threat today' to Win PCs

By Gregg Keizer June 29, 2011 04:19 PM ET
<http://www.computerworld.com/s/article/9218034/Massive_botnet_indestructi
ble_say_researchers?taxonomyId=82>


Computerworld - A new and improved botnet that has infected more than 
four million PCs is "practically indestructible," security researchers 
say.

"TDL-4," the name for both the bot Trojan that infects machines and the 
ensuing collection of compromised computers, is "the most sophisticated 
threat today," said Kaspersky Labs researcher Sergey Golovanov in a 
analysis Monday.  www.securelist.com/en/analysis/204792180/TDL4_Top_Bot

"[TDL-4] is practically indestructible," Golovanov said.

Others agree.

"I wouldn't say it's perfectly indestructible, but it is pretty much 
indestructible," said Joe Stewart, director of malware research at Dell 
SecureWorks and an internationally-known botnet expert, in an interview 
today. "It does a very good job of maintaining itself."

Golovanov and Stewart based their judgments on a variety of TDL-4's 
traits, all which make it an extremely tough character to detect, delete, 
suppress or eradicate.

For one thing, said Golovanov, TDL-4 infects the MBR, or master boot 
record, of the PC with a rootkit -- malware that hides by subverting the 
operating system. The master boot record is the first sector -- sector 0 -
- of the hard drive, where code is stored to bootstrap the operating 
system after the computer's BIOS does its start-up checks.

Because TDL-4 installs its rootkit on the MBR, it is invisible to both 
the operating system and more, importantly, security software designed to 
sniff out malicious code.

But that's not TDL-4's secret weapon.

What makes the botnet indestructible is the combination of its advanced 
encryption and the use of a public peer-to-peer (P2P) network for the 
instructions issued to the malware by command-and-control (C&C) servers.

"The way peer-to-peer is used for TDL-4 will make it extremely hard to 
take down this botnet," said Roel Schouwenberg, senior malware researcher 
at Kaspersky, in an email reply Tuesday to follow-up questions. "The TDL 
guys are doing their utmost not to become the next gang to lose their 
botnet."
--

Cheers,
Stephen

More information about the Link mailing list