The talk of the town this week (depending on the town you’re in, I suppose) has been of the “indestructible” botnet known as TDL 4. This botnet has already compromised an estimated 4.5 million Windows-based computers (around half of which are in the U.S.) and is technically quite advanced.
Botnets are among the biggest threat to people, institutions and governments that exist on the internet today. The term botnet refers to both a collection of compromised computers that are controlled by a person or group, and the malicious software that infects those individual computers. While not a new technique, the TDL 4 botnet safeguards itself from removal in a few ways: 1) it infects a computer’s master boot record, allowing it to run before Windows starts up, enabling it to stay under the radar of its host’s antivirus software, 2) it has its own antivirus built in, so it can remove other malware that might be picked up by real antivirus and alert the user that there’s a problem, and 3) its communication with its peers is encrypted and well timed, such that it communicates when the user of the computer is surfing the ‘net.
TDL 4 was termed indestructible by a few security researchers, and it stuck. We’ve seen indestructible botnets before, however… remember when Conficker was going to destroy the internet? Or Bagle back in 2004? The reason why TDL is a little more resilient is because it uses the open Kad peer-to-peer network to communicate, so it doesn’t rely on centralized command-and-control servers for its instructions, and so doesn’t have a single point of failure.
So what’s the point of it? Money. Like most malware created today, its authors are organized and after dollars. All that spam in your mailbox? That’s from a botnet selling pirated software and pharmaceuticals. Your personal data is worth money. The front and back of a credit card as a scanned document will sell for $20. Your PayPal account credentials will net someone 30% of the balance of the account.
The real trick is finding TDL here and now if your computer is infected. The malware behind TDL 4 can be detected and removed by Kaspersky Lab’s free TDSSKiller, available here.