New TDL-4 Botnet Threats

The TDL-4 botnet is a collection of Trojans with the capacity to inflict damage through increased technical sophistication as well as improved commercial exploitation. * A botnet contains compromised computers connected to the Internet used mostly for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet. Botnets are usually controlled via standards based network protocols such as Internet Relay Chat (IRC).  TDL-4 uses the KAD peer-to-peer network for managing its control communications.

Millions of personal computers have been infected. The TDL-4 botnet is sneaky, evasive, hard to detect and difficult to disinfect. TDL-4 is the fourth generation of the TDL malware. TDL-4 packs all kinds of tricks to conceal deep within hard drives, evading most virus scanning software as well as more proactive detection methods. It communicates in encrypted code, and contains a rootkit program that allows an operator access to a computer even while hiding itself from the user, network administrators and automated security measures.

TDL-4 is malicious because it facilitates the creation of a botnet--a network of infected computers that can be used in concert to carry out tasks like distributed denial-of-service attacks, the installation of adware and spyware, or spamming. It currently has 4.5 million machines under its control and counting. The infecting file is usually found lurking around adult sites, pirated media hubs, and video and media storage sites.

The TDL-4 malware originators have extended the program functionality to encrypt communications between bots and the botnet command and control servers. The controllers of TDL have created a botnet that is protected against countermeasures and antivirus companies. Antivirus vendor, Kaspersky, has suggested that TDL-4 has installed nearly 30 different malicious programs onto the PCs it controls.

TDL-4 installs itself into the master boot record (MBR), which makes it difficult for the Operating System or any antivirus or security software to detect its code. Once inside a personal computer, TDL-4 takes up residence in the MBR, which means it can run before the computer is actually booted up. This MBR is rarely combed over by anti-virus software giving TDL added invisibility. Then, TDL-4 runs its own anti-virus program. It contains code to remove around 30 of the most common malicious programs, wiping an infected machine clean of everyday malware that might draw a user’s attention or cause an administrator to take a closer look. It can then download whatever malicious software it wants to in the place of the deleted programs. This version of TDL-4 also has added modules, which can be used to hide other malicious cyber actions.

An advanced encryption algorithm ensures that security and anti-virus products are unable to ‘sniff’ packets that it sends out onto the network. This helps to cloak information that is being sent from Command and Control (C&C) servers, and the information being returned by the TDL-4 Trojan.

Any attempt to take down the regular C&Cs can be circumvented by updating the list of C&Cs. Any C&C has a means to directly communicate over the encrypted channel to any host, so that it is virtually indestructible.

TDL-4's controllers use the botnet to plant additional malware on PCs, rent it out to others to conduct spam and phishing campaigns or for distributed denial-of-service attacks.
You cannot buy the source code. You can only rent time on a bonnet service that is built using the TDL-4 toolkit, in essence replicating the business model of Software-as-a-Service.

The owners of the rootkit go to great lengths to make sure that its turf, which are literally the millions of computers that are part of its army, are protected from other rogue malware. The defense mechanism includes its own antivirus to take out other competing malware and eliminate the risk of potential conflicts as well as the use of public P2P networks to link the slave computers to Command and Control servers.

The TDL-4 network is rented out at a high price to criminal organizations. With a rising number of PCs working for them, the owners of TDL-4 can launch impressive spamming and phishing campaigns, which can rake in fees. TDL-4 can be also used to plant other malicious pieces of malware, including “spybots”, hijacking toolbars, and even fake antivirus software. When a contract runs out, TDL-4 can remove these programs easily. TDL-4 is also removing the competition (malware it doesn’t sanction) while opening captured computers to software it prefers. It’s definitely the cyber version of organized crime and the start of a Mafia cyber war.

The continual development of the TDL-4 network, its advanced tactics, and its wide dispersal is the work of a concentrated criminal network with thousands of dollars devoted to development of its cyber operations. “Partner-programs”, most often operating through websites offering adult content, bootleg videos, or file storage, are paid $20-$200 for every 1000 computers they infect with TDL. Kaspersky estimates that each version of TDL costs its controllers about $250,000 to set up their network. Daily revenue from a botnet the size of TDL-4 can be in the many tens of thousands of dollars.

SUMMARY
At one point the “Conficker” Trojan was going to destroy the entire Internet as we knew it, but it is now contained. TDL-4 will continue to confound and frustrate security experts for years but this too shall pass, causing damage meanwhile. The problem is that the TDL-4 continues to evolve as defenses become more capable. TDL is multigenerational persistent malware, with new attack forms getting launched as profits from botnets keep rising.

* IEEE Computer, August 2011, p.16