Slashdot Mirror

← Back to Stories (view on slashdot.org)

Massive Botnet "Indestructible," Say Researchers

Posted by samzenpus on from the +1-or-better-update-to-hit dept.

CWmike writes "A new and improved botnet that has infected more than four million PCs is 'practically indestructible,' security researchers say. TDL-4, the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is 'the most sophisticated threat today,' said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis on Monday. Others agree. 'I wouldn't say it's perfectly indestructible, but it is pretty much indestructible,' Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, told Computerworld on Wednesday. 'It does a very good job of maintaining itself.' Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code. But that's not TDL-4's secret weapon. What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers. 'The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet,' said Roel Schouwenberg, senior malware researcher at Kaspersky. 'The TDL guys are doing their utmost not to become the next gang to lose their botnet.'"

3 of 583 comments (clear)

  1. Re:Take 'em offline by realityimpaired · · Score: 5, Informative

    Netcat, and watching for traffic from a system that you know for a fact isn't sending that kind of traffic.

    Without your ISP installing some kind of spyware on your computer to determine if you have torrent or other p2p software installed, they have no way of knowing whether that encrypted p2p traffic coming from your system is a virus, or you trying to download a movie. And as for them determining how many systems are infected? That same netcat... once they know the traffic is there, it is fairly easy to find the source of the traffic, and then to analyse said source. Once they find a way into the network, it's fairly trivial to estimate how many clients are connected to it. Taking over the network is another animal entirely, but figuring out how many are connected to it is relatively easy.

  2. Re:Invisible? by schwit1 · · Score: 5, Informative

    http://download.bitdefender.com/rescue_cd/
    http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk10/

    Both of these update from the internet after booting up.

  3. Detection and removal by Zaphod-AVA · · Score: 5, Informative

    When they say indestructible, they mean it's more difficult to steal control of the botnet, like they have done with several other hostile networked threats, not that it can't be detected and removed.

    To detect it, run the latest version of GMER.
    http://www.gmer.net/

    To remove it, you need to run a series of three scanners in this order:
    TDSSkiller
    http://support.kaspersky.com/viruses/solutions?qid=208280684

    Combofix
    http://www.bleepingcomputer.com/download/anti-virus/combofix

    and Malwarebytes' Antimalware
    http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;1

    Note that TDL4 is often a blended threat, and has other secondary infections that can cause issues. One of the most common does search redirection that can make it hard to get to the tools to remove it. Most versions of that you can work around by clicking on the Google cache of the site with the tool instead of the link itself.

    As for who to blame, most of the infections installed on people's machines were abusing exploits in Adobe Flash. Keeping up to date helps, but I started installing Flashblock on my client's systems because I was convinced there were unknown Flash exploits.

    -Z