Massive botnet 'indestructible,' say researchers

http://www.computerworld.com/s/article/9218034/Massive_botnet_indestructible_say_researchers

4.5M-strong botnet 'most sophisticated threat today' to Windows PCs
By Gregg Keizer
June 29, 2011 04:19 PM ET
30 Comments

Computerworld - A new and improved botnet that has infected more than four million PCs is "practically indestructible," security researchers say.

"TDL-4," the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is "the most sophisticated threat today," said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis Monday.

"[TDL-4] is practically indestructible," Golovanov said.

Others agree.

"I wouldn't say it's perfectly indestructible, but it is pretty much indestructible," said Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, in an interview today. "It does a very good job of maintaining itself."

Golovanov and Stewart based their judgments on a variety of TDL-4's traits, all which make it an extremely tough character to detect, delete, suppress or eradicate.

For one thing, said Golovanov, TDL-4 infects the MBR, or master boot record, of the PC with a rootkit -- malware that hides by subverting the operating system. The master boot record is the first sector -- sector 0 -- of the hard drive, where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks.

Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code.

But that's not TDL-4's secret weapon.

What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.

"The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet," said Roel Schouwenberg, senior malware researcher at Kaspersky, in an email reply Tuesday to follow-up questions. "The TDL guys are doing their utmost not to become the next gang to lose their botnet."

Schouwenberg cited several high-profile botnet take-downs -- which have ranged from a coordinated effort that crippled Conficker last year to 2011's FBI-led take-down of Coreflood -- as the motivation for hackers to develop new ways to keep their armies of hijacked PCs in the field.

"Each time a botnet gets taken down it raises the bar for the next time," noted Schouwenberg. "The truly professional cyber criminals are watching and working on their botnets to make them more resilient against takedowns or takeovers."

TDL-4's makers created their own encryption algorithm, Kaspersky's Golovanov said in his analysis, and the botnet uses the domain names of the C&C servers as the encryption keys.

The botnet also uses the public Kad P2P network for one of its two channels for communicating between infected PCs and the C&C servers, said Kaspersky. Previously, botnets that communicated via P2P used a closed network they had created.

By using a public network, the criminals insure their botnet will survive any take-down effort.

"Any attempt to take down the regular C&Cs can effectively be circumvented by the TDL group by updating the list of C&Cs through the P2P network," said Schouwenberg. "The fact that TDL has two separate channels for communications will make any take-down very, very tough."

Kaspersky estimated that the TDL-4 botnet consists of more than 4.5 million infected Windows PCs.

TDL-4's rootkit, encryption and communication practices, as well as its ability to disable other malware, including the well-known Zeus, makes the botnet extremely durable. "TDL is a business, and its goal is to stay on PCs as long as possible," said Stewart, citing the technologies that make the botnet nearly impossible to knock offline.

Stewart wasn't shocked that the TDL-4 botnet numbers millions of machines, saying that its durability contributed to its large size.

"The 4.5 million is not surprising at all," Stewart said. "It might not have as high an infection rate as other botnets, but its longevity means that as long as they can keep infecting computers and the discovery rate is small, they'll keep growing it."

Stewart pointed out that TDL-4's counter-attacks against other malware was another reason it's so successful.

"That's so smart," he said, adding that disabling competing malware -- which likely is much easier to detect -- means it has an even better chance of remaining on the PC. If other threats cause suspicious behavior, the machine's owner may investigate, perhaps run additional security scans or install antivirus software.

TDL-4's makers use the botnet to plant additional malware on PCs, rent it out to others for that purpose and for distributed denial-of-service (DDoS) attacks, and to conduct spam and phishing campaigns. Kaspersky said TDL-4 has installed nearly 30 different malicious programs on the PCs it controls.

But it's able to remove any at will. "TDL-4 doesn't delete itself following installation of other malware," said Golovanov. "At any time [it] can ... delete malware it has downloaded."

This is one dangerous customer, Stewart concluded.

"For all intents and purposes, [TDL-4] is very tough to remove," Stewart said. "It's definitely one of the most sophisticated botnets out there."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at Twitter @gkeizer or subscribe to Gregg's RSS feed Keizer RSS. His e-mail address is gkeizer@computerworld.com.

Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.