The malware behind an “indestructible” botnet

It took only three months for the TDL rootkit – also known as Tidserv, TDSS and Alureon – to add over 4,5 million infected computers to the developers’ botnet, say Kaspersky Lab researchers.

Back in 2010, its authors have surprised researchers by selling the source code for the TDL3 version, but now they know that this move has been the result of the creation of the next variant – TDL4. TDL4 was different enough from the previous one and improved in such a way that the developers believed that the sold variant wouldn’t be able to compete with it.

And they were right. The improvements were considerable.

The new version still spreads via affiliates, and the malware is often found on booby-trapped sites with adult content and pirated material, as well as sites for image or video storing. It installs itself by taking advantage of known vulnerabilities, but that’s about the only thing that remained the same.

“The owners of TDL are essentially trying to create an “indestructible’ botnet that is protected against attacks, competitors, and antivirus companies,” point out the researchers.

And to achieve that, the new TDL variant uses custom algorithms for encrypting the communication between the bots and the botnet C&C centers, in order to protect said communication from network traffic analysis and to block other cybercriminals’ attempts of taking over the botnet.

The new version also turned TDL into a bootkit. Its code is embedded in the computer’s master boot record (MBR) which makes it more difficult to detect via AV solutions.

The bot also downloads other malicious programs (fake AVs, adware, spambots) and tries to hide them from said products, but also deletes around twenty other types of malicious software (like Zeus, Gbot, etc.)

“TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them,” explain the researchers. “This “antivirus’ actually helps TDSS; on the one hand, it fights cybercrime competition, while on the other hand it protects TDSS and associated malware against undesirable interactions that could be caused by other malware on the infected machine.”

Another thing that the TDL developers have managed do is to make the bots receive their commands via a public P2P network, which makes the botnet impervious to the shutdown of C&C centers.

Among the other things this bot is capable of doing is to offer anonymous network access via infected machines by using a module that establishes a proxy server on them. “Having control over such a large number of computers with this function, the cybercriminals have started offering anonymous Internet access as a service, at a cost of roughly $100 per month,” say the researchers.

“The fact that TDL-4 code shows active development — a rootkit for 64-bit systems, the malware running prior to operating system start launches, the use of exploits from Stuxnet’s arsenal, P2P technology, its own “antivirus’ and a lot more — place TDSS firmly in the ranks of the most technologically sophisticated, and most complex to analyze, malware,” they point out. “TDSS and the botnet that unites all the computers it infects will continue to cause problems for users and IT security professionals alike. The decentralized, server-less botnet is practically indestructible, as the Kido epidemic showed.”