Security Protection – Harry Waldron MVP Rotating Header Image

TDL4 – Massive botnet infects possibly 4 million PCs

TDL4 is one of the most sophisticated Windows attacks circulating with rootkit and encrypted command-and-control capabilities.  While this highly advanced attack is difficult to detect and clean, some rootkit scanning tools can locate these infections.  A few years ago, the Storm Worm’s botnet command-and-control network were so advanced that master servers could not be located.  The new TDL4 botnet is even more sophisticated and is rated “indestructible” by some vendors.

TDL4 – Massive botnet infects possibly 4 million PCs http://www.computerworld.com/s/article/9218034/Massive_botnet_indestructible_say_researchers
http://blog.trendmicro.com/the-worm-the-rogue-dhcp-and-tdl4/
http://www.business-standard.com/india/news/tdl-4virus-that-escapes-scrutiny/441668/
http://www.thesecurityblog.com/2011/07/tld4-less-hype-more-history/

QUOTE: A new and improved botnet that has infected more than four million PCs is “practically indestructible,” security researchers say. “TDL-4,” the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is “the most sophisticated threat today,” said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis Monday.

For one thing, said Golovanov, TDL-4 infects the MBR, or master boot record, of the PC with a rootkit — malware that hides by subverting the operating system. The master boot record is the first sector — sector 0 — of the hard drive, where code is stored to bootstrap the operating system after the computer’s BIOS does its start-up checks.

Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code.  But that’s not TDL-4’s secret weapon. What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.

“The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet,” said Roel Schouwenberg, senior malware researcher at Kaspersky, in an email reply Tuesday to follow-up questions. “The TDL guys are doing their utmost not to become the next gang to lose their botnet.”   Kaspersky estimated that the TDL-4 botnet consists of more than 4.5 million infected Windows PCs.

Comments are closed.