The world’s most sophisticated malware has this year infected some 4.5 million machines, borrows code from Stuxnet and is virtually indestructible, according to security researchers at Kasperky.
The TDSS malware, its forth incarnation dubbed TDL-4, dodged signature, heuristic, and proactive anti-virus detection, used a sophisticated rootkit, and encrypted communication between infected bots and its command and control centre.
It had survived since 2008 and was adapting: its Russian-based creators are upgrading TDL-4 with a rootkit to operate on 64-bit systems, peer-to-peer technology, an inbuilt “antivirus”, MBR infection capability to run at system boot, and exploits used by Stuxnet.
The malware had infected 90,000 computers in Australia between January and March, according to results from crafted requests sent over the TDL-4 protocol.
But not one machine in Russia was infected. Eugene Kaspersky, founder of the security company had said previously that malware writers excluded Russian computers from infection to avoid triggering interest from local police.
“Writers attempted to ensure they had access to infected computers even in cases where the botnet control centres are shut down. The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies,” said Kaspersky researchers Sergey Golovanov and Igor Soumenkov.
“TDSS and the botnet that unites all the computers it infects will continue to cause problems for users and IT security professionals alike.”
The latest version used a rootkit to cloak the malware like the Pushdo spambot and fake anti-virus apps, which it downloaded to victim machines.
Rival malware was not as lucky. TDL-4 contains an ‘antivirus’ component that would scan registries to destroy other malware like Gbot, ZeuS and Clishmic, including their remote command and control links, that threaten to blow its cover.
Along with typical profits made from malware installations, the TDL-4 masters are offering its 4.5 million-strong botnet as an anonymous proxy service for about $100 a month.
They even developed a Firefox add-on that allowed users to toggle between proxy servers within the browser.
The latest version also contained revamped encryption. It had swapped the RC4 algorithm with custom built code that used XOR swaps and a bash parameter identifier to encrypted communication between infected bots and command and control servers.
This “ensures that the botnet will run smoothly, while protecting infected computers from network traffic analysis, and blocking attempts of other cyber criminals to take control of the botnet”, researchers said.
Infected machines talk over a private channel in the Kad peer-to-peer network, but it keeps a handful of infected machines in the public space as redundancy against attempts to hijack the botnet.
Researchers also said the malware spread through an affiliate program, a typical practice, using a TDL distribution client, and typically uploaded the malware to pornographic web sites and cyberlockers.