Over the last year, there have been a number of high profile takedowns of botnets. These takedowns lead to a significant reduction in the amount of spam that computer users see in their inbox.
This week’s big cyber news comes packing quite a headline: More than four million PCs have been infected by a malicious program known as TDL-4, a botnet that is so sneaky, so evasive, so hard to detect and disinfect that it is “practically indestructible.” That quote comes courtesy of security researchers Sergey Golovanov and Igor Soumenkov of Kaspersky Labs, a cyber security firm and maker of anti-virus software. It’s a scary thought: a botnet so sophisticated that it can’t be detected and dismantled. But is it true?
There’s no question that Golovanov and Soumenkov know their stuff, and their analysis of the emerging TDL-4 threat is thorough. But can a malicious program really be indestructible?
TDL-4 gets its name by being the fourth generation of the botnet. In 2008, the original TDL appeared. It has been altered over the last several years. With TDL-4, Kaspersky has found, the malware creators have drastically improved the botnet over its predecessors.
Global distribution of TDL-4 infections. According to the country codes to the right, the U.S., India, Indonesia, and Great Britain are tops in infections, according to Kaspersky.
TDL-4 isn’t one itself, but it’s malicious because it facilitates the creation of a botnet–a network of infected computers that can be used in concert to carry out tasks like distributed denial-of-service attacks (which have been used to take down many major servers, including The Pirate Bay, Twitter, Facebook, and MasterCard.com), the installation of adware and spyware, or spamming. It currently has 4.5 million machines under its control and counting. The infecting file is usually found lurking around adult sites, pirated media hubs, and video and media storage sites.
“The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down,” Kaspersky wrote on its SecureList blog earlier this week. “The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies.”
First things first: location, location, location. Once inside, TDL-4 takes up residence in the master boot record (MBR), which means it can run before the computer is actually booted up. The MBR is also rarely combed over by a standard anti-virus scanner, giving TDL added invisibility.
Central to TDL-4′s updates is an improved algorithm that encrypts communications between infected computers and the botnet’s command. According to Kaspersky, TDL-4 creates an identifier known as “bsh parameter” that “acts as one of the encryption keys for subsequent connections to the command and control server.” Once a request between command and the computer is activated, it’s transmitted over an HTTPS connection. According to Kaspersky, that system helps the botnet “run smoothly” and, at the same time, stops anyone else from trying to take control over it.
According to Kaspersky, the botnet also uses peer-to-peer network Kad to issue several commands, including searching for new files, publishing files to Kad, and more.
The big upshot of that for TDL-4 creators, Kaspersky says, is that even if “its command and control centers are shut down, the botnet owners will not lose control over infected machines,” since they’ll still be able to access Kad.
Although Kaspersky believes TDL-4 is practically impenetrable, not everyone is so quick to agree. Writing for InfoWorld today, Roger Grimes, a self-described “24-year veteran of the malware wars,” says that there has yet to be a single threat that has been able to hold its ground indefinitely.
Roger Grimes makes a valid point: “As a 24-year veteran of the malware wars, I can safely tell you that no threat has appeared that the antimalware industry and OS vendors did not successfully respond to. It may take months or years to kill off something, but eventually the good guys get it right.”
Grimes’ approach is the level-headed one. At one point Conficker was going to destroy the entire Internet as we knew it, but here we are today getting our daily dose of carefree lulz on the Web. TDL-4 will continue to confound and frustrate security experts for years most likely. But this too shall pass
He makes a solid point. Last year, Conficker was taken down after wreaking havoc on computers worldwide since 2008. Earlier this month, the FBI announced that it had taken down the Coreflood botnet.
But TDL-4′s functionality might just be in a league of its own. As Kaspersky notes, the botnet can “manipulate adware and search engines, provide anonymous Internet access, and act as a launch pad for other malware.”
According to Kaspersky, 28 percent of all infected TDL-4 computers are in the U.S.
Computers in the U.K., Italy, France, and many other countries are also infected with TDL-4. All told, more than 4.5 million computers were infected with TDL-4 in the first three months of 2011 alone.