4.5M-strong 'indrestructible' botnet 'most sophisticated threat today' to Windows PCs

Discussion in 'Apple, Inc and Tech Industry' started by *LTD*, Jun 29, 2011.

  1. *LTD* macrumors G4


    Feb 5, 2009
    OS X and iOS users can leave the room.

    Windows users, be warned.




    4.5M-strong botnet 'most sophisticated threat today' to Windows PCs

    Massive botnet 'indestructible,' say researchers

    A new and improved botnet that has infected more than four million PCs is "practically indestructible," security researchers say.

    "TDL-4," the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is "the most sophisticated threat today," said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis Monday.

    "[TDL-4] is practically indestructible," Golovanov said.

    Others agree.

    "I wouldn't say it's perfectly indestructible, but it is pretty much indestructible," said Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, in an interview today. "It does a very good job of maintaining itself."

    Golovanov and Stewart based their judgments on a variety of TDL-4's traits, all which make it an extremely tough character to detect, delete, suppress or eradicate.

    For one thing, said Golovanov, TDL-4 infects the MBR, or master boot record, of the PC with a rootkit -- malware that hides by subverting the operating system. The master boot record is the first sector -- sector 0 -- of the hard drive, where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks.

    Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code.

    But that's not TDL-4's secret weapon.

    What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.

    "The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet," said Roel Schouwenberg, senior malware researcher at Kaspersky, in an email reply Tuesday to follow-up questions. "The TDL guys are doing their utmost not to become the next gang to lose their botnet."

    Schouwenberg cited several high-profile botnet take-downs -- which have ranged from a coordinated effort that crippled Conficker last year to 2011's FBI-led take-down of Coreflood -- as the motivation for hackers to develop new ways to keep their armies of hijacked PCs in the field.

    "Each time a botnet gets taken down it raises the bar for the next time," noted Schouwenberg. "The truly professional cyber criminals are watching and working on their botnets to make them more resilient against takedowns or takeovers."

    TDL-4's makers created their own encryption algorithm, Kaspersky's Golovanov said in his analysis, and the botnet uses the domain names of the C&C servers as the encryption keys.

    The botnet also uses the public Kad P2P network for one of its two channels for communicating between infected PCs and the C&C servers, said Kaspersky. Previously, botnets that communicated via P2P used a closed network they had created.
  2. Rodimus Prime macrumors G4

    Rodimus Prime

    Oct 9, 2006
    Do not say that OSX will not be targeted next. it is a Trogin which means it goes threw largest security hole in any OS which is the user. Remember Macdefender still has a running cat and mouse game going.
    This one is pretty nasty but safe to say Auto scanners will start catching it on download so it can not infect computers. Just getting ride of them once they got their roots in the system is the nasty part.
  3. TheSideshow macrumors 6502

    Apr 21, 2011
    As bad as it is, it is still really interesting how sophisticated things are getting. I wonder how many man hours were spent in the creation of v.4 and the past 3 and how many individuals it takes to pull this code off.

    It looks like Kaspersky has a removal tool though http://support.kaspersky.com/viruses/utility (TDSSKiller)
  4. Bernard SG macrumors 65816

    Bernard SG

    Jul 3, 2010
    Expectably, you totally miss the point.
    Are Mac users vulnerable to social-engineered malware infection? Yes, of course, like all computer users.
    Is OSX vulnerable to the level of nastiness that TDL-4 shows? Very unlikely. The crux of the issue here is Windows' pathetically faulty architecture that makes it resemble a Swiss cheese: holes everywhere that malicious hacks exploit endlessly.
  5. roadbloc macrumors G3


    Aug 24, 2009
    I'ma let you finish, but this thread is not about that.
  6. AAPLaday Guest


    Aug 6, 2008
    Manchester UK
  7. GGJstudios macrumors Westmere


    May 16, 2008
    Ahhh, yess! Windows: The "good old days!" Now I remember why I don't miss it so much! :D
  8. *LTD* thread starter macrumors G4


    Feb 5, 2009
    I didn't think anyone would notice. ;)
  9. kdarling macrumors demi-god


    Jun 9, 2007
    First university coding class = 47 years ago
    That doesn't sound right. I thought that most anti-virus programs scan the MBR.

    As for these botnets, I wonder how many are the work of some government?
  10. Rodimus Prime macrumors G4

    Rodimus Prime

    Oct 9, 2006
    Scanned there yes but I was reading it is still hard to remove.

    4.5 million is a pretty small infection rate and by the sounds of it the security companies are going to clamp down hard on this one and are going to try to kill it off the best they can. I also would not be surprised to see ISP do what they can to kill it off as well at if they detect the file or virus attached to something they kill the download.

    It is a nasty piece of work that much is for sure and it is pretty clear this is a numbers game one. bot nets are mostly only targeted windows because you need raw numbers in infections.
  11. *LTD* thread starter macrumors G4


    Feb 5, 2009
    You're all over the place.
  12. ravenvii macrumors 604


    Mar 17, 2004
    Melenkurion Skyweir
    What's a Trogin? :confused:
  13. Liquorpuki macrumors 68020


    Jun 18, 2009
    City of Angels
    Actually, 4.5 million is pretty big for a botnet.

    By comparison, the botnet Lulzsec used for DDOS attacks was only 2.5 million bots.

Share This Page