A Smarter, Stealthier Botnet

A new reasonably botnet—a network of malware-infected PCs—behaves less like a military and a lot of sort of a decentralized terrorist network, consultants say. It will survive decapitation strikes, evade standard defenses, and even wipe out competing criminal networks.

The botnet's resilience is attributable to a super-sophisticated piece of malicious software called TDL-4, that within the 1st 3 months of 2011 infected quite four.5 million computers round the world, a few third of them within the u. s..

The emergence of TDL-4 shows that the business of putting in malicious code on PCs is prospering. Such code is employed to conduct spam campaigns and numerous types of theft and fraud, like siphoning off passwords and different sensitive knowledge. it is also been utilized in the billion-dollar epidemic of pretend anti-virus scams.

"Ultimately TDL-4 is solely a tool for maintaining and protecting a compromised platform for fraud," says Eric Howes, malware analyst for GFI Software, a security company. "It's a part of the black service economy for malware, that has matured significantly over the past 5 years and that very desires plenty a lot of light-weight shed on it."

Unlike different botnets, the TDL-4 network does not have confidence a number of central "command-and-control" servers to pass along directions and updates to all or any the infected computers. Instead, computers infected with TDL-4 pass along directions to 1 another using public peer-to-peer networks. This makes it a "decentralized, server-less botnet," wrote Sergey Golovanov, a malware researcher at the Moscow-based security company Kaspersky Lab, on this blog describing the new threat.

"The homeowners of TDL are primarily making an attempt to make an 'indestructible' botnet that's protected against attacks, competitors, and antivirus corporations," Golovanov wrote. He added that it "is one in all the foremost technologically refined, and most complex-to-analyze malware."

The TDL-4 botnet additionally breaks new ground by using an encryption algorithm that hides its communications from traffic-analysis tools. this can be an obvious response to efforts by researchers to find infected machines and disable botnets by monitoring their communication patterns, instead of merely identifying the presence of the malicious code.

Demonstrating that there's no honor among malicious software writers, TDL-4 scans for and deletes twenty of the foremost common types of competing malware, therefore it will keep infected machines all to itself. "It's attention-grabbing to say that the options are typically oriented toward achieving good stealth, resilience, and obtaining rid of 'competitor' malware," says Costin Raiu, another malware researcher at Kaspersky.

Distributed by criminal freelancers known as affiliates, who get paid between $20 and $200 for each one,000 infected machines, TDL-4 lurks on porn sites and a few video and file-storage services, among different places, where it are often automatically put in using vulnerabilities during a victim's browser or operating system.

Once TDL-4 infects a laptop, it downloads and installs as several as thirty items of different malicious software—including spam-sending bots and password-stealing programs. "There are different malware-writing teams out there, however the gang behind [this one] is specifically targeted on delivering high-tech malware for profit," says Raiu.