Is The New TDL-4 Botnet Really 'Indestructible?'

An elusive malware program has quietly co-opted more than four million PCs, and no one seems to know how to stop it.

How a Botnet Works

From one computer to many computers to mayhem.Tom-b via Wikimedia

This week's big cyber news comes packing quite a headline: More than four million PCs have been infected by a malicious program known as TDL-4, a botnet that is so sneaky, so evasive, so hard to detect and disinfect that it is "practically indestructible." That quote comes courtesy of security researchers Sergey Golovanov and Igor Soumenkov of Kaspersky Labs, a cyber security firm and maker of anti-virus software. It's a scary thought: a botnet so sophisticated that it can't be detected and dismantled. But is it true?

There's no question that Golovanov and Soumenkov know their stuff, and their analysis of the emerging TDL-4 threat is thorough. But can a malicious program really be indestructible?

What is TDL-4?

TDL-4 is the fourth generation of the TDL malware (Kapersky also identifies the family as TDSS), and Golovanov and Soumenkov call it "the most sophisticated threat today." In that, we can likely agree with them. TDL-4 packs all kinds of neat/scary tricks to conceal itself deep within hard drives, evading most virus scanning software as well as more proactive detection methods. It communicates in encrypted code, and contains a serious rootkit component--a rootkit being a program that allows an operator access to a computer even while hiding itself from the user, network administrators and automated security measures.

TDL-4 isn't one itself, but it's malicious because it facilitates the creation of a botnet--a network of infected computers that can be used in concert to carry out tasks like distributed denial-of-service attacks (which have been used to take down many major servers, including The Pirate Bay, Twitter, Facebook, and MasterCard.com), the installation of adware and spyware, or spamming. It currently has 4.5 million machines under its control and counting. The infecting file is usually found lurking around adult sites, pirated media hubs, and video and media storage sites.

What Makes It "Indestructible?"

Golovanov and Soumenkov summarize this nicely: "The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down. The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and antivirus companies."

First things first: location, location, location. Once inside, TDL-4 takes up residence in the master boot record (MBR), which means it can run before the computer is actually booted up. The MBR is also rarely combed over by a standard anti-virus scanner, giving TDL added invisibility.

The Distribution of Known TDL-4 Botnet Infections

Kapersky Labs

Then, TDL-4 does something else quite clever: it runs its own anti-virus program. The software contains code to remove around 20 of the most common malicious programs, wiping an infected machine clean of everyday malware that might draw a user's attention or cause an administrator to take a closer look. It can then download whatever malicious software it wants to in the place of the deleted programs. This version of TDL-4 also has added modules, like one that "fraudulently manipulates advertising systems and search engines" and another that establishes proxy servers on infected machines, which can be used to facilitate and hide other malicious cyber actions.

But critical to TDL-4's indestructibility is the way it communicates between bots. There are a few things at play here. First, and perhaps most central, is a clever algorithm that encrypts the communication protocol between bots and the botnet command. This makes it virtually pointless to monitor traffic between the command server and infected machines.

But couldn't you trace those commands, encrypted though they may be, back to the source to catch the bad guys? TDL-4 has a trick up its sleeve here as well, this time in the form of a public peer-to-peer file sharing network called Kad. TDL-4's creators can issue several commands to their bot machines over this P2P network. This is key, because it means that if TDL-4's command servers get shut down, the program's creators can still access all the infected machines out there. In essence, command servers aren't really necessary at all. Destroying TDL-4 at the source is more or less impossible, because the source is distributed across the botnet network. There really is no single source.

But Is It Really "Indestructible?"

Writing for Infoworld today, Roger Grimes makes a valid point: "As a 24-year veteran of the malware wars, I can safely tell you that no threat has appeared that the antimalware industry and OS vendors did not successfully respond to. It may take months or years to kill off something, but eventually the good guys get it right."

Grimes' approach is the level-headed one. At one point Conficker was going to destroy the entire Internet as we knew it, but here we are today getting our daily dose of carefree lulz on the Web. TDL-4 will continue to confound and frustrate security experts for years most likely. But this too shall pass.

But that doesn't mean Golovanov and Soumenkov are necessarily wrong to call TDL-4 "indestructible." Perhaps the most noteworthy part of its title is the "4." It's just one bad seed in a malicious multigenerational family.

"We have reason to believe that TDSS will continue to evolve," they write. "The fact that TDL-4 code shows active development — a rootkit for 64-bit systems, the malware running prior to operating system start launches, the use of exploits from Stuxnet's arsenal, P2P technology, its own 'antivirus' and a lot more — place TDSS firmly in the ranks of the most technologically sophisticated, and most complex to analyze, malware."

That is, until TDL-5.