Kasperksy Lab analysts Sergey Golovanov and Igor Soumenkov have just released some startling information about what they claim is the 'most indestructible' botnet ever discovered. It is a variant on the TDSS rootkit which first appeared in 2008, and has gone through numerous 'releases' including TDL-3 in 2010 and finally TDL-4 today. It is important to note that TDL-4 is used to describe both the botnet itself and the trojan rootkit malware which initially infects the host computer.
- From January through to March of 2011, TDL-4 has infected 4,524,488 computers worldwide.
- There are three command and control centers; in Moldova, Lithuania and USA.
- It uses a custom encrypted communications protocol based on a public P2P (Peer to Peer) networking standard to communicate between itself, other infected members of the botnet and the command and control centre.
- It includes a proxy server module which allows criminals to anonymously surf the internet using the infected PC's internet connection.
- It can infect both 32-Bit and 64-Bit editions of Windows.
- It removes other (competing) viruses and botnet malware from the infected machine, leaving itself access to more bandwidth and resources.
- It inserts itself into the MBR (master boot record) of the infected PC, meaning it gets loaded before Windows and making it extremely difficult for anti-virus software to detect it.
- Once installed, it systematically downloads and installs a growing list of 'add-on' malware programs (currently up to 30 and growing) including fake anti-virus software, adware and spambot applications.
- Software to both scan for the TDL-4 infection and remove it is available from Kaspersky here.