Security experts warn of new 'almost indestructible' TDL-4 botnet threat

Jul 01, 2011 by Bob Yirka report
Botnet
Image credit: Security Networks

(PhysOrg.com) -- Security experts Sergey Golovanov and Igor Soumenkov of Kaspersky Lab have detailed the threats of a new strain of the TDSS botnet, dubbed TDL-4, on SECURELIST, calling it likely the most sophisticated botnet to date, and describing it as almost indestructible.

Botnets, or groups of computers that have been infected by code that allows them to be controlled by someone other than the owner, have become the latest tool in an international that involves malevolent coders and , with stuck in-between, quite often completely unaware of what it going on.

Botnets are a bad thing because owners can become victims of identity theft, be directed to onerous sites while cruising the web, or worse become unwitting partners in crime as their computer is hijacked and used for nefarious purposes, such as being directed to take part in a against a corporate web site.

TDL-4, comes on the heels of news that its previous incarnation, TDL-3 was sold by its creators to another group of bent on reaping profits from its use; a sign the experts note, indicates the creators of the botnet are so sure of the superiority of the new version, that the old has become obsolete.

What makes the new botnet so hard to find and eradicate is the fact that it lodges itself in the master boot record on a computer’s hard drive, the part the computer uses to get itself going when you turn it on. By inserting code where the hardware looks first, the malware is able to load before the operating system (Windows), allowing it to mask itself. Another problem is that in the new version, the creators of the malware have switched from using a proprietary network to control the computers in the botnet, to using a public Peer to Peer public network, which means commands can be sent even if the command and control computers used by the people who unleashed the botnet, lose access.

It should be noted that the security team behind this latest announcement Golovanov and Soumenkov, both work for Kaspersky Lab, a company that sells anti-virus and computer security software; not that this means their loud warnings should be ignored, but it is possible that their claims are a little exaggerated. For example, one of the new “features” of the botnet code is the ability to remove other malware from the computers they infect, partly to make sure their own code works as expected, but also to avoid drawing attention to problems the computer might be experiencing, which would likely lead to the detection of their own code. Thus, when they report that the botnet might be impossible to kill, they mean the as a whole, not the code on an individual computer. Also, in their paper, there is no mention of what computer users can do to see if their computer is infected, and if it is, what they might do about it, which might make some wonder if a future announcement isn’t coming soon, detailing how Kaspersky Lab, has just the product to help users with both.

Explore further: Vatican's manuscripts digital archive now available online

Related Stories

Authorities bust 3 in infection of 13M computers

Mar 02, 2010

(AP) -- Authorities have smashed one of the world's biggest networks of virus-infected computers. It was a data vacuum that stole credit cards and online banking credentials from as many as 12.7 million poisoned PCs.

Guilty plea in Seattle 'botnet' case

May 05, 2006

A California man pleaded guilty Thursday to charges stemming from a "botnet" attack last year that damaged U.S. Department of Defense computers.

Recommended for you

Kickstarter suspends privacy router campaign

Oct 20, 2014

Kickstarter has suspended an anonymizing router from its crowdfunding site. By Sunday, the page for "anonabox: A Tor hardware router" carried an extra word "(Suspended)" in parentheses with a banner below ...

User comments : 17

Adjust slider to filter visible comments by rank

Display comments: newest first

poof
3.3 / 5 (3) Jul 01, 2011
KILL IT WiTH FIRE!!!!
Royale
3.3 / 5 (3) Jul 01, 2011
LOTS OF FIRE!!!
Nik_2213
not rated yet Jul 01, 2011
Sentence the authors to a life of watching soap re-runs...

Those not recruited by TLAs, of course, of course...
ShotmanMaslo
1 / 5 (1) Jul 01, 2011
So will my antivirus with pre-boot test option find the virus?
FrankHerbert
0.8 / 5 (51) Jul 01, 2011
Probably not, but you may find an option in your BIOS for MBR (Master Boot Record) protection.
racchole
3.4 / 5 (5) Jul 01, 2011
The people who create these viruses work for the anti-virus companies. Learn to protect yourself and you will be fine.
seb
4 / 5 (1) Jul 01, 2011
Microsoft says you can use their windows recovery tool to blast your MBR back into shape, or you could say, use a linux distro installer or something.

As for botnets, how long until these cease to just be "bots" and become an "ecosystem" ?
Norezar
5 / 5 (1) Jul 01, 2011
The people who create these viruses work for the anti-virus companies. Learn to protect yourself and you will be fine.


Basically, yes.

Like Adobe and their flexnet licensing.

The fact that the MBR isn't protected at hardware level astounds me.
Ricochet
3 / 5 (3) Jul 01, 2011
"fdisk : /mbr" works great
sstritt
1 / 5 (3) Jul 01, 2011
"fdisk : /mbr" works great

I've heard that can be risky!
FrankHerbert
0.7 / 5 (49) Jul 02, 2011
With a little know how it should be easy to make a boot disk that whenever it's used will back up the MBR, and allow you to swap out the existing MBR with a backup. The MBR is simply the first 512 bytes on the disk, so with a little programming it should be straight forward.
FrankHerbert
0.7 / 5 (48) Jul 02, 2011
Here's a program that can backup/restore the MBR in various versions of Windows and DOS. This utility would work nicely on a bootdisk.

http://mirror.hre...tm#PQMBR

One could schedule periodic backups with Windows scheduler, as well as a boot disk ready for restore in case windows becomes inaccessible.
Megadeth312
not rated yet Jul 02, 2011
If you suspect your computer has been infected, an easy way to rewrite the MBR:

Freeware program EasyBCD has an option to rewrite it for you and is safe to use, it will write it to the correct disk and direct it to the correct partition.
Sonhouse
not rated yet Jul 02, 2011
How can you examine the MBR for signs of this virus? Plus, wouldn't the computer assign channels for data I/O's that would not be present in an unaffected computer? Can't you figure out things are wrong that way, for instance, monitoring internet traffic, wouldn't there be stuff going in and out not seen in regular traffic, for instance if you are not even on the net?
el_gramador
not rated yet Jul 02, 2011
Does no one else find it entertaining that this botnet is actually cleaning malware in a way that mimes the way biology and viruses naturally do? Why not let them implode by keeping ourselves out of it?
I_Dont_Have_A_Name
not rated yet Jul 03, 2011
The problem isn't protecting against this. If you already know enough to protect the MBR...let alone know what an MBR is...let alone know that 'I'll just restart and it will work' isn't going to fix it...and even if you know what the heck a "bot-net" is, that still leaves the rest of the 99% of the computer users that don't.
Ricochet
not rated yet Jul 05, 2011
My suggestion... Once they've got an easy way to detect and clean it, as you know they will after a little time, purposefully infect your computer with it to clear anything else out you might have, then go back and clean it out.