‘Indestructible’ Botnet Making Rounds

Friday, July 1, 2011 @ 10:07 AM gHale


A new botnet hit the cyber street and infected more than four million PCs. This “practically indestructible” botnet infects machines and the ensuing collection of compromised computers, is “the most sophisticated threat today,” said Kaspersky Labs researcher Sergey Golovanov.

“TDL-4,” the name given to the bot and Trojan is difficult to detect, delete, suppress or eradicate, experts said..

RELATED STORIES
Botnet Detection via a Smart DNS
Mariposa Botnet on Comeback Trail
Demographics for Infected PCs
Threat Report: Vulnerabilities at Record High

Golovanov, TDL-4 infects the MBR, or master boot record, of the PC with a rootkit — malware that hides by subverting the operating system. The master boot record is the first sector — sector 0 — of the hard drive, where code stores to bootstrap the operating system after the computer’s BIOS does its start-up checks.

Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code. What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.

“The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet,” said Roel Schouwenberg, senior malware researcher at Kaspersky. “The TDL guys are doing their utmost not to become the next gang to lose their botnet.”

Schouwenberg cited several high-profile botnet take-downs — which have ranged from a coordinated effort that crippled Conficker last year to 2011’s FBI-led take-down of Coreflood — as the motivation for hackers to develop new ways to keep their armies of hijacked PCs in the field.

“Each time a botnet gets taken down it raises the bar for the next time,” Schouwenberg said. “The truly professional cyber criminals are watching and working on their botnets to make them more resilient against takedowns or takeovers.”

TDL-4’s makers created their own encryption algorithm, Kaspersky’s Golovanov said in his analysis, and the botnet uses the domain names of the C&C servers as the encryption keys.

The botnet also uses the public Kad P2P network for one of its two channels for communicating between infected PCs and the C&C servers, said Kaspersky. Previously, botnets that communicated via P2P used a closed network they had created.

By using a public network, the criminals insure their botnet will survive any take-down effort.

Kaspersky estimated that the TDL-4 botnet consists of more than 4.5 million infected Windows PCs.

TDL-4’s rootkit, encryption and communication practices, as well as its ability to disable other malware, including the well-known Zeus, makes the botnet extremely durable.



Leave a Reply

You must be logged in to post a comment.