Massive botnet 'indestructible,' say researchers
4.5M-strong botnet 'most sophisticated threat today' to Windows PCs
Computerworld - A new and improved botnet that has infected more than four million PCs is "practically indestructible," security researchers say.
"TDL-4," the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is "the most sophisticated threat today," said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis Monday.
"[TDL-4] is practically indestructible," Golovanov said.
"I wouldn't say it's perfectly indestructible, but it is pretty much indestructible," said Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, in an interview today. "It does a very good job of maintaining itself."
Golovanov and Stewart based their judgments on a variety of TDL-4's traits, all which make it an extremely tough character to detect, delete, suppress or eradicate.
For one thing, said Golovanov, TDL-4 infects the MBR, or master boot record, of the PC with a rootkit -- malware that hides by subverting the operating system. The master boot record is the first sector -- sector 0 -- of the hard drive, where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks.
Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code.
But that's not TDL-4's secret weapon.
What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.
"The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet," said Roel Schouwenberg, senior malware researcher at Kaspersky, in an email reply Tuesday to follow-up questions. "The TDL guys are doing their utmost not to become the next gang to lose their botnet."
Schouwenberg cited several high-profile botnet take-downs -- which have ranged from a coordinated effort that crippled Conficker last year to 2011's FBI-led take-down of Coreflood -- as the motivation for hackers to develop new ways to keep their armies of hijacked PCs in the field.
"Each time a botnet gets taken down it raises the bar for the next time," noted Schouwenberg. "The truly professional cyber criminals are watching and working on their botnets to make them more resilient against takedowns or takeovers."
TDL-4's makers created their own encryption algorithm, Kaspersky's Golovanov said in his analysis, and the botnet uses the domain names of the C&C servers as the encryption keys.
The botnet also uses the public Kad P2P network for one of its two channels for communicating between infected PCs and the C&C servers, said Kaspersky. Previously, botnets that communicated via P2P used a closed network they had created.
- International police operation disrupts Shylock banking Trojan
- Spamhaus pushes for arrests of alleged DDoS participants
- Accused Russian point-of-sale hacker arrested, will face U.S. charges
- No-IP regains control of some domains wrested by Microsoft
- Microsoft legal action cramping other hacking campaigns, Kaspersky says
- Microsoft admits technical error in IP takeover, but No-IP still down
- QuickPoll: Why hasn't Windows XP come under attack from hackers?
- Cybercrime losses top $400 billion worldwide
- U.S., foreign agents disrupt Gamover Zeus botnet
- LulzSec leader sentenced to time served after cooperating with police
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Cybersecurity for Dummies eBook This book provides an in-depth examination of real-world attacks and APTs, the shortcomings of legacy security solutions, the capabilities of next-generation firewalls, and...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success! All Cybercrime and Hacking White Papers | Webcasts