TDL4 - Massive botnet infects possibly 4 million PCs - Security Protection

Common Tasks

Community

Email Notifications

Personal Links

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

TDL4 - Massive botnet infects possibly 4 million PCs

TDL4 is one of the most sophisticated Windows attacks circulating with rootkit and encrypted command-and-control capabilities. While this highly advanced attack is difficult to detect and clean, some rootkit scanning tools can locate these infections. A few years ago, the Storm Worm's botnet command-and-control network were so advanced that master servers could not be located. The new TDL4 botnet is even more sophisticated and is rated "indestructible" by some vendors.

TDL4 - Massive botnet infects possibly 4 million PCs
http://www.computerworld.com/s/article/9218034/Massive_botnet_indestructible_say_researchers
http://blog.trendmicro.com/the-worm-the-rogue-dhcp-and-tdl4/
http://www.business-standard.com/india/news/tdl-4virus-that-escapes-scrutiny/441668/
http://www.thesecurityblog.com/2011/07/tld4-less-hype-more-history/

QUOTE: A new and improved botnet that has infected more than four million PCs is "practically indestructible," security researchers say. "TDL-4," the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is "the most sophisticated threat today," said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis Monday.

For one thing, said Golovanov, TDL-4 infects the MBR, or master boot record, of the PC with a rootkit -- malware that hides by subverting the operating system. The master boot record is the first sector -- sector 0 -- of the hard drive, where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks.

Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code. But that's not TDL-4's secret weapon. What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.

"The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet," said Roel Schouwenberg, senior malware researcher at Kaspersky, in an email reply Tuesday to follow-up questions. "The TDL guys are doing their utmost not to become the next gang to lose their botnet." Kaspersky estimated that the TDL-4 botnet consists of more than 4.5 million infected Windows PCs.

Posted: Jul 05 2011, 02:50 PM by Harry Waldron | with no comments

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.