‘Indestructible’ Botnet Of 4.5m Discovered

Researchers at Kaspersky Labs have discovered an ‘indestructible’ botnet controlling more than 4.5m computers, five percent of them in the UK, which presents “the most sophisticated threat today”.

The researchers say the TDL-4 malware which contructs the botnet, also known as TDSS, hides itself in places rarely scanned by antivirus software and protects itself with its own brand of AV. It also uses a public P2P network to exist without a central command server if necessary.

To avoid an infected computer’s user from taking action that may disrupt its own work, the malware removes some common infections, including Zeus, Gbot, Clishmic and Optima, or hides them from genuine antivirus. This also works to deny other cyber criminals access to the botnet’s own computers.

Practically indestructible

The botnet borrows some exploits from the Stuxnet virus and receives commands via a public P2P network, which removes the need for command servers and makes it even harder to track down those controlling it.

“The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies,” wrote Kaspersky Labs security researchers Sergey Golovanov and Igor Soumenkov in their detailed analysis of the virus.

“The botnet, with more than 4.5 million infected computers, is used by cybercriminals to manipulate adware and search engines, provide anonymous Internet access, and acts as a launch pad for other malware.”

Anonymous internet service

The virus is spread via affiliate websites that, according to Golovanov and Soumenkov, receive $20-200 (£12-125) per 1000 installations depending on the location of the computer. It has been found in porn websites, movie pirating sites and video and image storage sites.

The Kaspersky researchers say that based on the prices quoted by affiliates, the number of infected computers in the US – 28 percent of the total discovered so far – is worth $250,000 (£156,000), “a sum which presumably made its way to the creators of TDSS,” they added.

Establishing proxy-servers on infected computers has also allowed anonymous internet acces for the botnet’s controller, something Golovanov and Soumenkov said has been offered by the criminals for $100 (£60) per month.

Those responsible have even developed a Firefox add-on for toggling between proxy servers within the browser.

As with previous versions of the virus it also includes modules for search engine substituting and fake clicking, they said.

Global and ongoing threat

The researchers were able to locate three MySQL databases in Moldova, Lithuania and the US, which revealed the extent of infection – more than 4.5m infections in the first 3 months of 2011.

Golovanov and Soumenkov concluded: “TDSS and the botnet that unites all the computers it infects will continue to cause problems for users and IT security professionals alike. The decentralized, server-less botnet is practically indestructible, as the Kido epidemic showed.”