Kaspersky warns of “indestructible” TDL-4 botnet

News 4 Jul, 2011

Top security expert fears 2008 botnet is dangerously sophisticated.

A vicious new botnet dubbed TDL-4, made up of more than 4.5 million infected computers is running wild, according to security firm Kaspersky.

The security specialist has described the botnet as potentially “indestructible.”

The name TDL-4 comes from the fact that it's the fourth iteration of this particular botnet since it arrived in 2008. Kaspersky says its creators have significantly improved the TDL botnet this time round and the 4.5 million affected computers are all believed to have been infected in the first three months of this year.

“The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today,” said Sergey Golovanov and Igor Soumenkov, researchers at Kaspersky Labs.

The powerful rootkit used by TDL’s developers means it can conceal the presence of malware on a system, according to the researchers. It has also been setup to resist attempts to remove it from infected machines and to eliminate competing malware.

Peer-to-peer networking techniques have been used, meaning the botnet is difficult to track. Furthermore, if its control servers were seized or shut down the group responsible could still keep it running.

“The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies,” the researchers added.

Kaspersky Labs revealed that TDL is now spread by affiliates – a network of rogue “adult content sites, bootleg websites, and video and file storage services.”

Affiliate programs from these sites use a client which makes operating system checks and then downloads TDL-4 to the computer.

“Affiliates receive between $20 to $200 for every 1,000 installations of TDL, depending on the location of the victim computer,” Kaspersky added.

At present, the majority of the TDL-4 botnet is on machines located in the US, with just five per cent of TDL-4 infected machines believed to be UK-based.