TDSS Botnet Virtually 'Indestructible', Kaspersky Researchers Say

The TDSS malware, which spreads via porn and bootleg Web sites, as well as video game and file storage services, has been in development since 2008, according to Kaspersky researcher Sergey Golovanov. The malware is currently in its fourth version, known as TDL-4, and has thus far infected more than 4.5 million computers around the world—nearly one third of which are located in the U.S--during the first three months of 2010.

Security experts contend that unlike other sophisticated malware, such as Stuxnet, designed for industrial and politically targeted attacks, the TDSS botnet appears to have been designed solely as a money-making tool for cyber criminals, with capabilities that allow it to push rogue antivirus programs and spam, along with other malware.

“TDL has clearly been created with financial gain in mind,” Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab told CRN. “The fact that there’s this elaborate affiliate program which is aimed at infecting as many machines as possible shows it’s not designed for targeted attacks. That however doesn’t exclude the possibility of TDL being used as a delivery vehicle for targeted attacks.”

What distinguishes the TDSS botnet is its updated defense and propagation mechanisms, researchers say. The malware is hardened with a slew of capabilities that ensure its survival by expertly hiding its presence, clearing its tracks and wiping out competing botnets.

“TDSS uses a range of methods to evade signature, heuristic and proactive defection and uses encryption to facilitate communication between its bots and the botnet command and control center. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.” said Golovanov, in a blog post. “The owners of the TDL are essentially trying to create an indestructible botnet that is protected against attack, competitors and antivirus companies.”

One of the biggest distinguishing features for the TDSS botnet is an antivirus function that allows it to destroy competing botnets, while effectively hiding itself from legitimate antivirus programs. TDL-4 can delete up to 20 competing malicious programs, including Gbot, Zeus, Clishmic and Optima, among others. "Not all of them, of course, just the most common,” Golovanov said.

After infecting a PC, TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets, and prevents victims’ computers contacting them.

“This antivirus actually helps TDSS; on the one hand, it fights cybercrime competition, while on the other hand, it protects TDSS and associated malware against undesirable interactions that could be caused by other malware on the infected machine,” Golovanov wrote.

TDSS Downloads Malware For Financial Gain Meanwhile, the malware has the ability to download an array of malicious programs, including fake antivirus, adware and the Pushdo spambot, to use for its own purposes. It also possesses the ability to effectively embed itself in victim’s PCs, circumvent most antimalware programs, and access infected computers even when the parent botnet control centers are shut down.

The latest version of TDSS also changes the algorithm to encrypt the communication protocol between bots and the botnet command and control servers to evade detection. The new protocol is designed to protect infected computers from network traffic analysis while blocking cybercriminals’ attempts to take control of the botnet, Golovanov said.

In addition, TDSS comes equipped with features that allow it to access the Kad network, (a public P2P network), which it uses to send commands to infected computers incorporated in the botnet. With access to Kad, cybercriminals behind TDSS can download any files to botnet machines and make them available to P2P users.

Schouwenberg said that the combination of a more traditional command and control architecture, along with its use of P2P networks for issuing commands gives the TDSS a multi-layer defense approach that will make the botnet extremely difficult for the security community to contain or slow in the future.

“That would make a successful takedown extremely difficult because both channels would have to be hit successfully at the same time,” he said. “Right now it looks like the only thing that would stop this botnet is an arrest of the authors and a subsequent takeover by LE.”