TDL4 is one of the most sophisticated Windows attacks circulating with rootkit and encrypted command-and-control capabilities. While this highly advanced attack is difficult to detect and clean, some rootkit scanning tools can locate these infections. A few years ago, the Storm Worm’s botnet command-and-control network were so advanced that master servers could not be located. The new TDL4 botnet is even more sophisticated and is rated “indestructible” by some vendors.
TDL4 – Massive botnet infects possibly 4 million PCs
QUOTE: A new and improved botnet that has infected more than four million PCs is “practically indestructible,” security researchers say. “TDL-4,” the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is “the most sophisticated threat today,” said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis Monday.
For one thing, said Golovanov, TDL-4 infects the MBR, or master boot record, of the PC with a rootkit — malware that hides by subverting the operating system. The master boot record is the first sector — sector 0 — of the hard drive, where code is stored to bootstrap the operating system after the computer’s BIOS does its start-up checks.
Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code. But that’s not TDL-4’s secret weapon. What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.
“The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet,” said Roel Schouwenberg, senior malware researcher at Kaspersky, in an email reply Tuesday to follow-up questions. “The TDL guys are doing their utmost not to become the next gang to lose their botnet.” Kaspersky estimated that the TDL-4 botnet consists of more than 4.5 million infected Windows PCs.