Security experts warn of new 'almost indestructible' TDL-4 botnet threat

July 1, 2011 by Bob Yirka, report

Image credit: Security Networks
( -- Security experts Sergey Golovanov and Igor Soumenkov of Kaspersky Lab have detailed the threats of a new strain of the TDSS botnet, dubbed TDL-4, on SECURELIST, calling it likely the most sophisticated botnet to date, and describing it as almost indestructible.

Botnets, or groups of computers that have been infected by code that allows them to be controlled by someone other than the owner, have become the latest tool in an international that involves malevolent coders and , with stuck in-between, quite often completely unaware of what it going on.

Botnets are a bad thing because owners can become victims of identity theft, be directed to onerous sites while cruising the web, or worse become unwitting partners in crime as their computer is hijacked and used for nefarious purposes, such as being directed to take part in a against a corporate web site.

TDL-4, comes on the heels of news that its previous incarnation, TDL-3 was sold by its creators to another group of bent on reaping profits from its use; a sign the experts note, indicates the creators of the botnet are so sure of the superiority of the new version, that the old has become obsolete.

What makes the new botnet so hard to find and eradicate is the fact that it lodges itself in the master boot record on a computer’s hard drive, the part the computer uses to get itself going when you turn it on. By inserting code where the hardware looks first, the malware is able to load before the operating system (Windows), allowing it to mask itself. Another problem is that in the new version, the creators of the malware have switched from using a proprietary network to control the computers in the botnet, to using a public Peer to Peer public network, which means commands can be sent even if the command and control computers used by the people who unleashed the botnet, lose access.

It should be noted that the security team behind this latest announcement Golovanov and Soumenkov, both work for Kaspersky Lab, a company that sells anti-virus and computer security software; not that this means their loud warnings should be ignored, but it is possible that their claims are a little exaggerated. For example, one of the new “features” of the botnet code is the ability to remove other malware from the computers they infect, partly to make sure their own code works as expected, but also to avoid drawing attention to problems the computer might be experiencing, which would likely lead to the detection of their own code. Thus, when they report that the botnet might be impossible to kill, they mean the as a whole, not the code on an individual computer. Also, in their paper, there is no mention of what computer users can do to see if their computer is infected, and if it is, what they might do about it, which might make some wonder if a future announcement isn’t coming soon, detailing how Kaspersky Lab, has just the product to help users with both.

Explore further: Botnets move P2P as centrally controlled zombie networks come under fire

Related Stories

Authorities bust 3 in infection of 13M computers

March 2, 2010

(AP) -- Authorities have smashed one of the world's biggest networks of virus-infected computers. It was a data vacuum that stole credit cards and online banking credentials from as many as 12.7 million poisoned PCs.

Guilty plea in Seattle 'botnet' case

May 5, 2006

A California man pleaded guilty Thursday to charges stemming from a "botnet" attack last year that damaged U.S. Department of Defense computers.

Recommended for you

Archaeologists discover Incan tomb in Peru

February 16, 2019

Peruvian archaeologists discovered an Incan tomb in the north of the country where an elite member of the pre-Columbian empire was buried, one of the investigators announced Friday.

Where is the universe hiding its missing mass?

February 15, 2019

Astronomers have spent decades looking for something that sounds like it would be hard to miss: about a third of the "normal" matter in the Universe. New results from NASA's Chandra X-ray Observatory may have helped them ...

What rising seas mean for local economies

February 15, 2019

Impacts from climate change are not always easy to see. But for many local businesses in coastal communities across the United States, the evidence is right outside their doors—or in their parking lots.

The friendly extortioner takes it all

February 15, 2019

Cooperating with other people makes many things easier. However, competition is also a characteristic aspect of our society. In their struggle for contracts and positions, people have to be more successful than their competitors ...


Adjust slider to filter visible comments by rank

Display comments: newest first

3.3 / 5 (3) Jul 01, 2011
3.3 / 5 (3) Jul 01, 2011
not rated yet Jul 01, 2011
Sentence the authors to a life of watching soap re-runs...

Those not recruited by TLAs, of course, of course...
1 / 5 (1) Jul 01, 2011
So will my antivirus with pre-boot test option find the virus?
0.8 / 5 (51) Jul 01, 2011
Probably not, but you may find an option in your BIOS for MBR (Master Boot Record) protection.
3.4 / 5 (5) Jul 01, 2011
The people who create these viruses work for the anti-virus companies. Learn to protect yourself and you will be fine.
4 / 5 (1) Jul 01, 2011
Microsoft says you can use their windows recovery tool to blast your MBR back into shape, or you could say, use a linux distro installer or something.

As for botnets, how long until these cease to just be "bots" and become an "ecosystem" ?
5 / 5 (1) Jul 01, 2011
The people who create these viruses work for the anti-virus companies. Learn to protect yourself and you will be fine.

Basically, yes.

Like Adobe and their flexnet licensing.

The fact that the MBR isn't protected at hardware level astounds me.
3 / 5 (3) Jul 01, 2011
"fdisk : /mbr" works great
1 / 5 (3) Jul 01, 2011
"fdisk : /mbr" works great

I've heard that can be risky!
0.7 / 5 (49) Jul 02, 2011
With a little know how it should be easy to make a boot disk that whenever it's used will back up the MBR, and allow you to swap out the existing MBR with a backup. The MBR is simply the first 512 bytes on the disk, so with a little programming it should be straight forward.
0.7 / 5 (48) Jul 02, 2011
Here's a program that can backup/restore the MBR in various versions of Windows and DOS. This utility would work nicely on a bootdisk.

One could schedule periodic backups with Windows scheduler, as well as a boot disk ready for restore in case windows becomes inaccessible.
not rated yet Jul 02, 2011
If you suspect your computer has been infected, an easy way to rewrite the MBR:

Freeware program EasyBCD has an option to rewrite it for you and is safe to use, it will write it to the correct disk and direct it to the correct partition.
not rated yet Jul 02, 2011
Does no one else find it entertaining that this botnet is actually cleaning malware in a way that mimes the way biology and viruses naturally do? Why not let them implode by keeping ourselves out of it?
not rated yet Jul 03, 2011
The problem isn't protecting against this. If you already know enough to protect the MBR...let alone know what an MBR is...let alone know that 'I'll just restart and it will work' isn't going to fix it...and even if you know what the heck a "bot-net" is, that still leaves the rest of the 99% of the computer users that don't.
not rated yet Jul 05, 2011
My suggestion... Once they've got an easy way to detect and clean it, as you know they will after a little time, purposefully infect your computer with it to clear anything else out you might have, then go back and clean it out.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.