According to Kaspersky Lab, a new TDSS rootkit variant called TDL-4 has infected more than 4.5 million PCs worldwide in just the first three months of 2011. The security experts say that this sneaky malware is one of the most technologically sophisticated threats to date. Because of upgrades from the previous TDL-3 incarnation, this new TDL-4 has the ability to create a botnet that is practically ‘indestructible’.
TDL-4 is a bootkit, it infects the master boot record of a PC which allows the code to run before a computer’s operating systems starts up. Doing this allows the malware, along with the programs it downloads, invisibility to operating systems as well as any antivirus programs.
But this isn’t new for TDSS. What makes this version a silent killer is an upgrade in encryption and the decentralization of the botnet. The new encryption algorithm used to network the control center with computer zombies keeps the botnet from being detected by traffic analysis and keeps other cyber criminals at bay.
The way the decentralization works is probably most important. Unlike the Coreflood botnet, recently hit hard by the FBI, the TDL-4 doesn’t necessarily have command-and-control servers that will incapacitate the malware when seized. The cyber criminals use the publicly accessible Kad P2p network as second way to send commands to infected PCs. If the servers are taken out, the botnet keeps on going via custom Kad client. Like the T1000, it just reforms and keeps on doing its evil duties.
To top off that display of durability, TDL-4 has 64-bit support and its own antivirus. The antivirus allows the rootkit to eliminate threats that would draw attention to its presence. The first TDSS rootkit made an appearance in 2008 and is said to be more widespread than the well known Rustock. The creators have been perfecting the malware since then and Kaspersky’s Sergey Golovanov says, “we have reason to believe that TDSS will continue to evolve.”
