TDL4 - The ‘indestructible’ botnet

[Jack]

The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today. TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.

• Encrypted network connections
  
  One of the key changes in TDL-4 compared to previous versions is an updated algorithm encrypting the protocol used for communication between infected computers and botnet command and control servers. The cybercriminals replaced RC4 with their own encryption algorithm using XOR swaps and operations. The domain names to which connections are made and the bsh parameter from the cfg.ini file are used as encryption keys.
  
  [.................]
  
• An antivirus of its own
  
  Just like Sinowal, TDL-4 is a bootkit, which means that it infects the MBR in order to launch itself, thus ensuring that malicious code will run prior to operating system start. This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.
  
  TDL nimbly hides both itself and the malicious programs that it downloads from antivirus products. To prevent other malicious programs not associated with TDL from attracting the attention of users of the infected machine, TDL-4 can now delete them. Not all of them, of course, just the most common.
  TDSS contains code to remove approximately 20 malicious programs, including Gbot, ZeuS, Clishmic, Optima, etc. TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them.
  
  This ‘antivirus’ actually helps TDSS; on the one hand, it fights cybercrime competition, while on the other hand it protects TDSS and associated malware against undesirable interactions that could be caused by other malware on the infected machine.
  [.................]
  
• Botnet access to the Kad network
  
  One of the most outstanding new features of TDL-4 is the kad.dll module, which allows the TDSS botnet to access the Kad network. So what do the cybercriminals want with a publicly accessible file exchange network?
  
  We have known about botnets controlled via P2P for some time now, although until now, these were closed protocol connections created by the cybercriminals themselves. In contrast, TDSS uses a public P2P network in order to transmit commands to all infected computers in the botnet
  [.................]
  
• Extended functionality
  
  In addition to its known adware function, TDL-4 has added some new modules to its arsenal. This article has already touched on the ‘antivirus’ function and the P2P module. The owners of TDSS have also added several other modules to their malware, and now offer services such as anonymous network access via infected machines and 64-bit support.
  [.................]
  
• The proxy server module
  
  A file called Socks.dll has been added to TDSS’s svchost.exe; it is used to establish a proxy server on an infected computer. This module facilitates the anonymous viewing of Internet resources via infected machines.
  [.................]
• 64-bit support
  
  The appearance of a 64-bit malicious driver in TDSS was another innovation in malware in 2010. In order to support operations with 64-bit systems in user mode, TDL-4 contains a module called cmd64.dll, a version of cmd.dll for 64-bit systems. However, due to the limitations of working with 64-bit programs, cmd64.dll code only provides communication with the botnet command and control servers.
  [.................]
• Working with search engines
  
  The cmd.dll module (see for details) remains almost completely unchanged. This module facilitates communication with the botnet command and control servers and substitutes search results, i.e. fraudulently manipulates advertising systems and search engines.
  [.................]
  
• Botnet command and control servers
  
  When running, TDSS uses several sources to obtain lists of command and control server addresses. The default list is taken from cmd.dll; if these addresses are inaccessible, then TDSS gets a list from cfg.ini. If for some reason no command and control server listed is accessible, then a list is created from an encrypted file called bckfg.tmp, which the bot receives from the command and control server on first connection.
  [.................]
  
• Command and control server statistics
  
  Despite the steps taken by cybercriminals to protect the command and control centers, knowing the protocol TDL-4 uses to communicate with servers makes it possible to create specially crafted requests and obtain statistics on the number of infected computers. Kaspersky Lab’s analysis of the data identified three different MySQL databases located in Moldova, Lithuania, and the USA, all of which supported used proxy servers to support the botnet.
  [.................]
• To be continued…
  
  This heading of this last section has become traditional in our articles on TDSS. In this case, we have reason to believe that TDSS will continue to evolve. The fact that TDL-4 code shows active development — a rootkit for 64-bit systems, the malware running prior to operating system start launches, the use of exploits from Stuxnet’s arsenal, P2P technology, its own ‘antivirus’ and a lot more — place TDSS firmly in the ranks of the most technologically sophisticated, and most complex to analyze, malware.
  [.................]

Read more

Very informative article , definitely a 'must' read.TDL4 features are very impressive and just how how much malware has evolved in the past few years.
Go here to read it.

 

[jamescv7]

The title says at all, effects are minor to major on a nasty rootkit which is latest threat until now.

 

[MrXidus]

Yeah shes a beauty in the eyes of cyber criminals. I say this only the beginning of what we're really going to see. I love the part of it detecting and removing other competing threats.

 

[Deleted member 178]

IT IS SKYNET MY FRIENDS ! SKYNET'S MINIONS ! THE END IS NEAR !!!! PREPARE YOURSELF !!!

uhm, sorry for this apocalyptic moment ^^

 

[GabiCRX]

Looks like this malware wants to make history, he wants a place near Sality, Conficker, Zeus or SpyEye !

 

[jamescv7]

Probably its now already in the history from one of the worst viruses/malware ever.

 

[MrXidus]

Got a sample of it, Its Virtual Machine Aware. When tested refuses to function in VMware. No surprise I was expecting it., just thought I'd point it out.

 

[Jack]

Free Removal Tools Available for Sophisticated TDL4 Bootkit
[....]
It can infect both 32 and 64-bit versions of Windows and is one of the most sophisticated rootkits known to date. But despite this, the TDL4 bot can be removed from computers and most major antivirus programs are capable of doing this.

In addition, security companies have released stand-alone TDL4 removal tools that anyone can use for free without the need to replace their current antivirus program.

One of the companies who provide such an application is BitDefender. It's TDL4 removal tool is offered in both 32-bit and 64-bit versions. Kaspersky Lab also have a TDL4 cleaner dubbed TDSS Killer.

Read more

Removal of TDL4 with free tools :
Bitdefender Removal Tool - download from here
TDSS Killer from Kaspersky - download from here

Apparently the ‘indestructible’ botnet got pwned.....I've used TDSS Killer from Kaspersky and it's a very good tool. However I never used the tool from Bitdefender I might just give it a go in my VM.

 

[MrXidus]

@Jack Ah thanks for the resources. I'm going to collect these just incase the moment arrives.

 

[Deleted member 178]

For info, Comodo Cleaning Essentials latest version can eradicate TDL4 too.

 

[Jack]

Kaspersky researchers published an article in which they've explained why they've called this botnet ‘indestructible’.Here is what they have to say :

TDL-4 Indestructible or not???​

Our analysis, “TDL4 – Top Bot” by Sergey Golovanov and Igor Soumenkov, has rightly been getting a lot of attention. It’s an excellent analytical article which uncovers a very sophisticated and complex malware TDL-4 which is the latest version of TDSS.

Some commentators and other security researchers however, focusing on our use of the word “indestructible” in the article, seem to think that we believe the malware is indestructible. This is clearly not the case – that’s why we put the word in inverted commas. In fact, our own TDSS Killer can remove the malware.

The key line from the article is, “The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies.”

It is the botnet which the owners want to bullet proof. To help achieve this TDL-4 uses its own encryption algorithm for communication between infected computers within the botnet:

“The new protocol encryption algorithm for communications between the botnet control center and infected machines ensures that the botnet will run smoothly, while protecting infected computers from network traffic analysis, and blocking attempts of other cybercriminals to take control of the botnet.”

On top of this, it uses a publicly accessible file exchange network, the KAD network for peer to peer communications between infected computers. In this way even if the command and control servers are shut down the owners of the botnet will still be in control of the botnet.

Read more

So after all , it's true, the Headline of an article can "sell" the story better than anything else :dodgy: