New Botnet, Now 4.5 Million Machines Strong, is 'Practically Indestructible'

How a Botnet Works From one computer to many computers to mayhem. Tom-b via Wikimedia

Today in cyber threats: more than four million Windows PCs have been commandeered by a botnet that cybersecurity experts are calling nearly “indestructible.” Known as TDL-4 (it’s the fourth iteration of the malicious program), this particular little nuisance hides in places security software rarely checks and speaks with other infected machines and their overseers in a novel encrypted code. Some are calling it the most sophisticated threat out there today. Watch your back, Stuxnet.

For the unfamiliar: botnets are networks of computers that have been infiltrated by a malicious program that allows the machines to be manipulated remotely by the program’s owner, often in concert to carry out cyber attacks or to do large-scale spamming. Security firms around the world have been cracking down on botnets lately, and their success has been fairly remarkable.

But in eradicating a lot of simpler botnets, security experts may have tipped their hands. TDL-4 hides in places other botnets generally don’t, deep within systems where most virus scanning software doesn’t look. And it communicates in ways that are new to most cyber-cops, talking in what appears to be a novel encryption scheme conjured by TDL’s overseers.

Cyber security firms can’t crack it, and so monitoring traffic between the handlers and their network of infected machines doesn’t help much. Further, the botnet communicates over a public peer-to-peer network, so there’s no centralized server doling out commands that investigators can trace.

To quote Kaspersky Labs security researchers Sergey Golovanov and Igor Soumenkov at the conclusion of their detailed analysis of TDL-4, “the decentralized, server-less botnet is practically indestructible.”

[BBC]