June 30, 2011

Botnet Found To Be Virtually ‘Indestructible’

Security experts said one of the world's stealthiest botnets has infected more than 4.5 million PCs and allows its authors to force keyloggers, adware, and other malicious programs on the compromised systems at any given time.

The botnet, known as TDL, was first noticed in 2008 and quickly got the attention of top security experts because of its long list of highly advanced features. The TDL-4 rootkit is virtually undetectable by antivirus programs, and its use of low-level instructions makes it extremely hard for researchers to dissect it.

The latest version of the rootkit infected 4.52 million machines in the first three months of this year, according to a detailed technical analysis published Wednesday by antivirus firm Kaspersky Lab. Nearly a third of all infected computers were located in the US, where successful attacks have likely netted those behind them as much as $250,000.

The changes introduced in TDL-4 made it the "most sophisticated threat today," said Kaspersky Lab security researchers Sergey Golovanov and Igor Soumenkov in a detailed analysis of the virus.

"The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and anti-virus companies," wrote the researchers.

Other changes include a new antivirus feature that rids TDSS-infected machines of 20 rival malware titles. It also blacklists the addresses of command and control servers used by these competing programs to prevent them from working properly. It also infects the master boot record of a compromised PC's hard drive, ensuring that malware is running even before Windows is loaded.

The TDL-4 changes allow the rootkit to now be able to infect 64-bit versions of Windows by bypassing the operating system's kernel mode code signing policy, which was designed to allow drivers to be installed only if they have been digitally signed by a trusted source. Also, its ability to create ad-hoc DHCP servers on networks gives it more power.

The TDL virus spreads through booby-trapped websites and infects PCs by exploiting un-patched vulnerabilities. The virus is usually found on sites offering porn and pirated movies as well as video and photo storage sites.

The virus installs itself in a Windows system file known as the master boot record. The file holds the list of instructions to get a computer started and is a good place to hide because it is rarely scanned by anti-virus software.

About 28 percent of the victims came from the US. The virus infected about 7 percent of computers in India, 5 percent in the UK, and smaller amounts in France, Germany and Canada.

The TDL-4 authors have schemed up their own encryption system to protect communication between those controlling the botnet. This has made it hard for researchers to analyze traffic between hijacked computers and the botnet controllers.

Another way the virus foils analysis is it sends out instructions over a peer-to-peer network rather than standard command systems.

"For all intents and purposes, [TDL-4] is very tough to remove," Joe Stewart, director of malware research at Dell SecureWorks to Computerworld, told BBC News.

Despite its resistance to anti-virus software and research analysis, TDL-4 still has bugs, as is the case with any complex piece of software. The Kaspersky researchers were able to analyze the number of TDL-4 infections by exploiting a flaw that exposed three MySQL databases located in Moldova, Lithuania, and the US. Those databases revealed the 4.5 million infections.

The sophistication of TDL-4 might aid in its downfall, the researchers added.


On the Net: