Deprecated: Function create_function() is deprecated in /home/hidefide/public_html/blog/wp-content/plugins/wr-pagebuilder/core/core.php on line 127
{"id":240,"date":"2016-10-30T14:10:46","date_gmt":"2016-10-30T14:10:46","guid":{"rendered":"https:\/\/icaruspressblog.wordpress.com\/?p=240"},"modified":"2019-04-17T12:12:44","modified_gmt":"2019-04-17T12:12:44","slug":"boo-tdl4-botnet-do-over-scary-as-hell","status":"publish","type":"post","link":"https:\/\/hidefideas.com\/blog\/2016\/10\/30\/boo-tdl4-botnet-do-over-scary-as-hell\/","title":{"rendered":"BOO! TDL4 Botnet Do-Over Scary as Hell"},"content":{"rendered":"

$\"jack-o-lantern\"$ Just in time for Halloween, one of the world\u2019s stealthiest, most pervasive, and just plain terrifying botnets has received a complete makeover. A disturbing development in an arena where adware, malware, botnets and Trojans are already making our worst nightmares come true, the new face of TDL4 suggests that our anti-spam efforts will become even more trying. Not to be outdone, M. Night Shyamalan is rumored to be taking the directing helm for an overtly artsy movie treatment of the situation. Mercifully, reports suggest that the movie will circumvent theaters and go straight to Blu-Ray.<\/p>\n

In an attempt to reinforce the gravity of the situation \u2013 and in keeping with the time of the year \u2013 we could implement some irritatingly flashing lights, pithy onomatopoeias, and ghoulish sound effects to convey the gravity of the situation; but like some of the greatest horror movies in the history of Hollywood, this is one of those instances where special effects and overdramatics just aren\u2019t needed. This one is standalone scary. The TDL4 botnet, also known as Alureon and TDSS, recently received a thorough makeover, and if it\u2019s as bad as some of the researchers are reporting, we may be the ones picking up the tab for the rootkit\u2019s sexy new look.<\/p>\n

Considered by many as the most sophisticated<\/a> threat out there, TDL4 already had a reputation for being a naughty little boy before this most recent development in its evolution. With the ability to evade detection \u2013 either signature or heuristic based \u2013 and its encryption-based communication between bots and the botnet command and control center, TDL4 also contains a rootkit component which forces payloads of keyloggers, adware and other malware onto infected systems.<\/p>\n

A major aspect of TDL4\u2019s new look is in the way it infects its prey. According to The Register<\/a>, \u201cThe makeover includes changes to the way TDL4 attempts to remain undetected by antivirus programs and other defenses. Newer versions create a hidden partition at the end of the infected machine’s hard disk and set it to active. This ensures that malicious code stashed in it is executed before the Windows operating system is run.\u201d Furthermore, the malware has a nasty way of protecting itself against removal. \u201cThe partition is equipped with an advanced file system that checks the integrity of TDL4 components. If any of the files are corrupted, they’re removed.\u201d<\/p>\n

A chilling aspect to this story is the premonition that the reason for TDL4\u2019s overhaul is most likely due to some new opportunities to conduct some nefarious business. \u201cThe code overhaul,\u201d writes The Register, \u201cmay mean that operators of TDL4, which is used to force keyloggers, adware, and other malicious programs onto compromised machines, may have started providing services to other crimeware groups.\u201d It\u2019s pervasive and fast-moving, too. In June, the rootkit overtook 4.5 million computers<\/a> in just three months.<\/p>\n

In 2010, Vyacheslav Rusakov examined the rootkit in great detail<\/a> and noted that, \u201cThere is no doubt that TDL-4 is \u2018armed to the teeth\u2019 and poses a very serious threat to users.\u201d He also notes an increase in infections of 64 bit systems, not surprising since TDL4 was, \u201camong the first rootkits to infect 64-bit versions of Windows<\/a> by bypassing the OS’s kernel mode code signing policy. With the continued and increased usage of 64 bit systems, it\u2019s inevitable that more and more malware will target these systems, and there are inherent problems with this new breed of malware. Rusakov points out that, \u201cmost contemporary antivirus, and specifically anti-rootkit, technologies are no match for threats targeting 64-bit platforms, which makes the average malware writer\u2019s life much easier.\u201d<\/p>\n

As usual, we\u2019re either just keeping up, or more likely, falling behind in the battle against malware. \u201cThe latest changes suggest that the relentless innovation of those developing TDL4 shows no signs of slowing,\u201d reports The Register, and there\u2019s no arguing with the obvious.<\/p>\n

As I write this article on the eve before Halloween, I stop to stare out my window at the first snowfall of the pending winter. The last remnants of the summer \u2013 the dead and dying leaves \u2013 are unceremoniously ripped from the trees by an unfriendly arctic blast. Perhaps it\u2019s my overactive imagination combined with the starkness of Halloween, but the imagery seems fitting. If this new demon that is TDL4 is half the monster that they\u2019re saying it is, 2012 is going to be a scary year.<\/p>\n","protected":false},"excerpt":{"rendered":"