'Indestructible' botnet infects 4.5 million PCs globally

The botnet, called TDL-4, has ensnared more than four million PCs globally in the first three months of 2011, according to the researchers at Kaspersky Labs.

In its official blog posting, the Moscow-based anti virus firm has described the botnet malware as the “most sophisticated threat” to computer security today.

TDL-4 most complex to analyze malware
TDL-4, a variant of a virus known as TDSS which has been around since 2008, appears to be an upgrade of the previous version TDL-3.

“TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system,” reads the blog post.

TDL-4 "is one of the most technologically sophisticated and most complex to analyze malware," Sergey Golovanov, a malware researcher at Kaspersky Lab, wrote June 27 on the SecureList blog.

Endowed with an array of improvements
According to Kaspersky Labs said TDL-4 infected 4.5 million machines in just the first three months of this year.

TDL-4 "is one of the most technologically sophisticated and most complex to analyze malware," Sergey Golovanov, a malware researcher at Kaspersky Lab, wrote June 27 on the SecureList blog.

TDL-4 is endowed with an array of improvements over the previous versions. Its command-and-control servers can communicate with its army using an encrypted method to hide what it's doing from network monitors.

"The changes in TDL-4 affected practically all components of the malware and its activity on the web to some extent or other," the Kaspersky researchers wrote. "The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and antivirus companies."

One of the key changes in TDL-4 is an updated customized encryption algorithm that appears to use the domain names of the botnet command and control servers as the encryption keys, according to Golovanov's analysis.

Sometimes known as "zombies," botnets are a network of virus-infected computers that infect home computers and turn them into vast networks that criminals can use remotely, typically to hack data from victims' PCs and send spam emails.

How botnets work?
Using an especially sophisticated array of techniques, the malware first hides within booby-trapped websites such as those offering porn and pirated films. It installs itself into the Windows system files on visitors' computers via unpatched vulnerabilities in the Microsoft software, and then strongly resists attempts to remove it from infected machines, according to Kaspersky Labs.

"For all intents and purposes, [TDL-4] is very tough to remove," said Joe Stewart, director of malware research at Dell SecureWorks to Computerworld.

"It's definitely one of the most sophisticated botnets out there."

An affiliate can earn anywhere between $20 and $200 from the criminals behind TDL-4 for every 1,000 new machines it helps infect with TDL, according to Golovanov.

The TDL has infected 4,524,488 computers around the world in the first three months of 2011. 28 percent of all infected computers are in the United States. India and the United Kingdom also reported a significant numbers, having 7 percent and 5 percent victims respectively. 3 percent of all infected computers are found in France, Germany and Canada.