Have cybercriminals created the perfect botnet -- undetectable and indestructible?
Up until now, those fighting against botnets have had some measurable success in taking them down. However, the newest botnet on the block may be a hard nut to crack, and at least one security firm is calling it nearly indestructible.
Kaspersky Labs says the TDL botnet contains about 4.5 million computers, and uses a variety of measures to avoid detection by antivirus programs. Furthermore, communications between an infected PC and the host are encrypted, making it harder to decode what the botnet may be doing, and it disables other malware.
Essentially, when it comes to the TDL botnet, there can only be one.
TDL first surfaced in 2008, and has since gone through four separate revisions, each aimed at making the software more impenetrable. It is spread through a network of affiliates, who are paid anywhere between $20 and $200 for every 1,000 installs of TDL that are completed.
As transmissions are encrypted between the host servers and those infected it makes it very hard to detect via common methods, which typically use traffic analysis to help in locating and disabling these botnets. It also aims to further hide itself from detection by removing on its own the most common malware from the system registry.
Think of it this way: if you're not worried about removing other malware from your system -- and TDL is hard to detect already -- chances are you'll never know that you're infected. Meanwhile, at the same time, it's downloading its own malware to your machine, and you can't figure out what is causing your problems.
TDL runs before the operating system boots, loading from the master boot record itself. This makes the malware harder to detect by most security programs. It also uses P2P technology in order to deliver commands to the botnet, which negates the need for one single computer to control the entire network.
Take down what you think may be the central command, and it's just as easy for botnet operators to begin sending commands from another machine.
"The fact that TDL-4 code shows active development -- a rootkit for 64-bit systems, the malware running prior to operating system start launches, the use of exploits from Stuxnet's arsenal, P2P technology, its own 'antivirus' and a lot more -- place TDSS firmly in the ranks of the most technologically sophisticated, and most complex to analyze, malware," Kaspersky Labs says.
More information on how the TDL botnet works can be found on Kaspersky Labs' Securelist blog.