Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Researchers discover 4.5 million-strong super-botnet

TDSS rootkit infects 1.5 million US computers

Article comments

Millions of PCs around the world appear to have been quietly infected by the dangerous TDSS ‘super-malware’ rootkit as part of a campaign to build a giant new botnet, researchers from security firm Kaspersky Lab have discovered.

Malware and botnets come and go, but TDSS is different. First detected more than three years ago, TDSS (also known as ‘TDL’ and sometimes by its infamous rootkit component, Alureon), it has grown into a multi-faceted malware nexus spinning out ever more complex and dangerous elements as it evolves.

In recent weeks, Kaspersky Lab researchers were able to penetrate three SQL-based command and control (C&C) servers used to control the activities of the malware’s latest version, TDL-4, where they discovered the IP addresses of 4.5 million IP PCs infected by the malware in 2011 alone. Almost 1.5 million of these were in the US.

If active, this number of compromised computers could make it one of the largest botnets in the world, with the US portion alone worth an estimated $250,000 (£155,000) to the underground economy.

The TDL-4 malware has also added technical and economic capabilities to its features list, including some that are out of the ordinary for botnets, the researchers said.

Making use of the malware’s bootkit design – it infects the master boot record of a PC to allow it to load before other programs – it attempts to clean rival malware from an infected PC, searching for an nixing up to 20 different malware types, including Gbot, Zeus and Optima. This stops other programs interfering with its activities as well as hurting their commercial activities.

The researchers noticed a kad.dll component of the infection which appears to allow TDSS/TDL-4 an elaborate C&C channel to control bots using the Kad P2P file exchange network even if the primary encrypted channel has been shut down by rival botnetters or security companies.

Perhaps most intriguing of all are the economic innovations shown by the TDSS creators which help them sell it in a botnet-as-a-service form.

One of these is turning botted PCs into anonymous proxies, which Kaspersky found were being sold for $100 (£60) per month each to customers that wanted to hide their Internet use. They even discovered a Firefox add-on that makes it easier to toggle between different proxies within the browser.

“We don’t doubt that the development of TDSS will continue,” said Kaspersky researcher, Sergey Golovanov, who performed the latest analysis of TDSS. “Active reworkings of TDL-4 code, rootkits for 64-bit systems, the use of P2P technologies, proprietary anti-virus and much more make the TDSS malicious program one of the most technologically developed and most difficult to analyse.”

The bigger question is why TDSS/TDL-4 has invested so much effort in complexity when other malware performs adequately without it. Perhaps its most infamous innovation was the 64-bit version of Alureon that Microsoft claimed in May to have removed from hundreds of thousands of systems despite the fact this version of the OS is supposed to be harder to attack.

The answer is that TDSS’s creators are pioneering in their outlook. Windows might have fewer 64-bit users and the OS might be more of a challenge, but tackling it offers larger rewards because they stay ahead not only of rivals but of the software defences.

“Cybercriminals are trying to future-proof themselves,“ said fellow Kaspersky researcher, Ram Herkanaidu. “They know that a lot of systems are going to go 64-bit,” he said.

For his part, TDSS expert Golovanov thinks TDL-4 is in the hands of a single East European criminal entity which has sold the older and less advanced TDL-3 to another criminal enterprise in the same geography.


More from Techworld

More relevant IT news


Bohent said: who REALLY needs the internet anyway

JustSomeHuman said: Hey Mr Rice if you think this is just FUD just ask Mr Google about TDSS and see how many useful links he will recommend that you read Oh and by the way the idiotuneducated fat slow public is offended and wishes that you would pull your head out of the sand

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *