BOO! TDL4 Botnet Do-Over Scary as Hell

jack-o-lanternJust in time for Halloween, one of the world’s stealthiest, most pervasive, and just plain terrifying botnets has received a complete makeover. A disturbing development in an arena where adware, malware, botnets and Trojans are already making our worst nightmares come true, the new face of TDL4 suggests that our anti-spam efforts will become even more trying. Not to be outdone, M. Night Shyamalan is rumored to be taking the directing helm for an overtly artsy movie treatment of the situation. Mercifully, reports suggest that the movie will circumvent theaters and go straight to Blu-Ray.

In an attempt to reinforce the gravity of the situation – and in keeping with the time of the year – we could implement some irritatingly flashing lights, pithy onomatopoeias, and ghoulish sound effects to convey the gravity of the situation; but like some of the greatest horror movies in the history of Hollywood, this is one of those instances where special effects and overdramatics just aren’t needed. This one is standalone scary. The TDL4 botnet, also known as Alureon and TDSS, recently received a thorough makeover, and if it’s as bad as some of the researchers are reporting, we may be the ones picking up the tab for the rootkit’s sexy new look.

Considered by many as the most sophisticated threat out there, TDL4 already had a reputation for being a naughty little boy before this most recent development in its evolution. With the ability to evade detection – either signature or heuristic based – and its encryption-based communication between bots and the botnet command and control center, TDL4 also contains a rootkit component which forces payloads of keyloggers, adware and other malware onto infected systems.

A major aspect of TDL4’s new look is in the way it infects its prey. According to The Register, “The makeover includes changes to the way TDL4 attempts to remain undetected by antivirus programs and other defenses. Newer versions create a hidden partition at the end of the infected machine’s hard disk and set it to active. This ensures that malicious code stashed in it is executed before the Windows operating system is run.” Furthermore, the malware has a nasty way of protecting itself against removal. “The partition is equipped with an advanced file system that checks the integrity of TDL4 components. If any of the files are corrupted, they’re removed.”

A chilling aspect to this story is the premonition that the reason for TDL4’s overhaul is most likely due to some new opportunities to conduct some nefarious business. “The code overhaul,” writes The Register, “may mean that operators of TDL4, which is used to force keyloggers, adware, and other malicious programs onto compromised machines, may have started providing services to other crimeware groups.” It’s pervasive and fast-moving, too. In June, the rootkit overtook 4.5 million computers in just three months.

In 2010, Vyacheslav Rusakov examined the rootkit in great detail and noted that, “There is no doubt that TDL-4 is ‘armed to the teeth’ and poses a very serious threat to users.” He also notes an increase in infections of 64 bit systems, not surprising since TDL4 was, “among the first rootkits to infect 64-bit versions of Windows by bypassing the OS’s kernel mode code signing policy. With the continued and increased usage of 64 bit systems, it’s inevitable that more and more malware will target these systems, and there are inherent problems with this new breed of malware. Rusakov points out that, “most contemporary antivirus, and specifically anti-rootkit, technologies are no match for threats targeting 64-bit platforms, which makes the average malware writer’s life much easier.”

As usual, we’re either just keeping up, or more likely, falling behind in the battle against malware. “The latest changes suggest that the relentless innovation of those developing TDL4 shows no signs of slowing,” reports The Register, and there’s no arguing with the obvious.

As I write this article on the eve before Halloween, I stop to stare out my window at the first snowfall of the pending winter. The last remnants of the summer – the dead and dying leaves – are unceremoniously ripped from the trees by an unfriendly arctic blast. Perhaps it’s my overactive imagination combined with the starkness of Halloween, but the imagery seems fitting.  If this new demon that is TDL4 is half the monster that they’re saying it is, 2012 is going to be a scary year.

Leave a Reply