Researchers discover 4.5 million-strong super-botnet

TDSS rootkit infects 1.5 million US computers

Millions of PCs around the world appear to have been quietly infected by the dangerous TDSS 'super-malware' rootkit as part of a campaign to build a giant new botnet, researchers from security firm Kaspersky Lab have discovered.

Malware and botnets come and go, but TDSS is different. First detected more than three years ago, TDSS (also known as 'TDL' and sometimes by its infamous rootkit component, Alureon), it has grown into a multi-faceted malware nexus spinning out ever more complex and dangerous elements as it evolves.

In recent weeks, Kaspersky Lab researchers were able to penetrate three SQL-based command and control (C&C) servers used to control the activities of the malware's latest version, TDL-4, where they discovered the IP addresses of 4.5 million IP PCs infected by the malware in 2011 alone. Almost 1.5 million of these were in the US.

If active, this number of compromised computers could make it one of the largest botnets in the world, with the US portion alone worth an estimated $250,000 (£155,000) to the underground economy.

The TDL-4 malware has also added technical and economic capabilities to its features list, including some that are out of the ordinary for botnets, the researchers said.

Making use of the malware's bootkit design - it infects the master boot record of a PC to allow it to load before other programs - it attempts to clean rival malware from an infected PC, searching for an nixing up to 20 different malware types, including Gbot, Zeus and Optima. This stops other programs interfering with its activities as well as hurting their commercial activities.

The researchers noticed a kad.dll component of the infection which appears to allow TDSS/TDL-4 an elaborate C&C channel to control bots using the Kad P2P file exchange network even if the primary encrypted channel has been shut down by rival botnetters or security companies.

Perhaps most intriguing of all are the economic innovations shown by the TDSS creators which help them sell it in a botnet-as-a-service form.

One of these is turning botted PCs into anonymous proxies, which Kaspersky found were being sold for $100 (£60) per month each to customers that wanted to hide their Internet use. They even discovered a Firefox add-on that makes it easier to toggle between different proxies within the browser.

"We don't doubt that the development of TDSS will continue," said Kaspersky researcher, Sergey Golovanov, who performed the latest analysis of TDSS. "Active reworkings of TDL-4 code, rootkits for 64-bit systems, the use of P2P technologies, proprietary anti-virus and much more make the TDSS malicious program one of the most technologically developed and most difficult to analyse."

The bigger question is why TDSS/TDL-4 has invested so much effort in complexity when other malware performs adequately without it. Perhaps its most infamous innovation was the 64-bit version of Alureon that Microsoft claimed in May to have removed from hundreds of thousands of systems despite the fact this version of the OS is supposed to be harder to attack.

The answer is that TDSS's creators are pioneering in their outlook. Windows might have fewer 64-bit users and the OS might be more of a challenge, but tackling it offers larger rewards because they stay ahead not only of rivals but of the software defences.

"Cybercriminals are trying to future-proof themselves," said fellow Kaspersky researcher, Ram Herkanaidu. "They know that a lot of systems are going to go 64-bit," he said.

For his part, TDSS expert Golovanov thinks TDL-4 is in the hands of a single East European criminal entity which has sold the older and less advanced TDL-3 to another criminal enterprise in the same geography.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal Techsecuritykaspersky lab

More about etworkKasperskyKasperskyMicrosoftOptima

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place