The DL on TDL4

There has been a lot of buzz lately about TDSS, mainly due to the arrival last year of the latest variant, TDL4.

Given the discussion, it's worth taking time to understand the nature of this piece of malware and its security implications.

First noticed in 2008, TDSS is malware with advanced rootkit capabilities.  The infection takes control of the computer away from the owner by linking the infected system to other compromised computers.  

This botnet is then controlled by the malware author for malicious purposes such as downloading data stealing Trojans, rogue anti-virus programs and ransomware.

Because TDSS infections often pass unnoticed, it all happens without the knowledge of the computer owner.

One reason TDSS has garnered so much attention is that it is estimated to have infected around five million computers. Its spread has been aided by several sophisticated technologies.

First, TDSS uses special technology dubbed a bootkit to infect the master boot record of the computer hard drive.  On start-up the infected records are loaded before the operating system, enabling TDSS to make changes to the operating system to suit its needs.

Secondly, it plugs itself into the system and hides so that TDSS files often can't be seen even under direct examination. TDSS has advanced peer-to-peer functionality enabling it to communicate with other infected computers – that is the entire bot, as opposed to having only one or a few command-and-control servers.  It also includes its own customized anti-virus engine that allows it to delete rival malware on the system.

All of these advances signify the lengths that malware authors and cyber criminals are going to, as they seek to make malware more resistant to detection and disinfection.

Method of infection

Infection occurs in a litiany of ways including drive by downloads and social engineering-based attacks.  

The authors behind TDSS make use of affiliate programs that encourage cyber criminals to distribute the malware on their behalf.

It's a little like the relationship between a manufacturer and a retailer where an affiliate may receive twenty cents per infection.

While it may not sound like much to begin with, once you factor in five million or so infections, the earning potential becomes impressive.

At its core, TDSS manipulates search engine results for black search engine optimisation purposes, displaying ads and sites to obtain revenue from pay per click schemes.

The first symptoms most users notice is a slowdown when browsing and an increase in web activity to unexpected or unintended websites.  

Search results may be intercepted and replaced with alternative listings that usually lead to pay per click sites.

Another potential symptom of infection is a sudden system restart.  Because the rootkit plugs directly into the master boot record, TDSS needs to restart to begin working properly.   However, not every system restart should be taken as an indication of infection.

Is there a cure?

It's unfortunate TDL4 has been described as “indestructible” because the term has caused confusion.

Any computer infection can be isolated and cured using the right security software, and there are numerous solutions available to help users treat TDL4.

The bot itself is harder to take down because of its peer to peer functionality we mentioned earlier. It doesn’t allow take down of the main controlling point - the command and control server, which could be thought of as taking off the bot’s head.

This makes take downs especially complicated as any infected computer in the bot can also send commands and updates to other peer infected bots.  

These make it all but impossible to finish off every TDL4 bot with a single blow such as occurred with Coreflood or Rustock.

With complete eradication unlikely any time soon, the message for security managers is to remain vigilant. TDL4 can be removed. The tricky part is identifying whether you have a problem and this requires listening to users and watching for symptoms.

Copyright © SC Magazine, Australia