New botnet TDL-4 cannot be destroyed

The new improved botnet which infected more than four million PCs "is almost indestructible", researchers of security systems say.

"TDL-4" is the name and "Trojan" who infects machines, and groups of the computers integrated by actions of a virus. "Today it is the most difficult threat, - Sergey Golovanov, the researcher of Kaspersky Lab, in the detailed analysis noted. - We will practically not destroy TDL-4".

Other specialists agree with it. Joe Stewart, the director of research of the malware of Dell SecureWorks company and the world famous expert in botnets said: "I would not tell that he we will not destroy, but he substantially we will not destroy. He does a great job on recovery of".

Experts base the judgements on different characteristics of TDL-4, all of which do it by extremely tough nut for detection, removal, suppression or destruction.

On the one hand, Golovanov told, TDL-4 infects MBR, or the master boot record of the hard drive PC with a rootkit (rootkit) - the malware which hides itself from destruction by the operating system. Having registered a rootkit in MBR, TDL-4 becomes invisible to the operating system, and worst of all – for the antivirus software and security systems capable to detect a malicious code.

But not it is a secret weapon of TDL-4. What does a botnet indestructible, so this combination of the developed encryption system and use of public P2P networks (P2P) for management of the malware by means of servers of control and management (C&C).

Roel Schouwenberg, the senior research associate of Kaspersky Lab company noted in the e-mail message that use [TDL-4] of P2P networks will make extremely difficult suppression of this botseta. "These children do everything depending on them not to become the next gang which lost the botnet", - he added.

Shuvenberg called several loud "hunting" for botnets, part of them was suppressed by the coordinated efforts which stopped Conficker last year, and in 2011 under the direction of FBI destroyed Coreflood. "Every time when to botset take down, it raises a bar for the following attempt, - Shuvenberg noted. – True professionals, cyber-criminals, observe and botsetyam to make them steadier against suppression or capture of control work on the".

Creators of TDL-4 developed the own encryption algorithm, Golovanov in the analysis told and the botnet uses domain names C&C-серверов as encryption keys.

The botnet also uses an open P2P network of Kad P2P for one of the two communication channels between the infected computers and servers of management, experts of Kaspersky say. Earlier, when using P2P, botnets applied the closed network which was created.

Public service networks will help to survive to botnets in any attempts of their suppression. "The TDL group effectively passes any attempt of shutdown of servers of control, having updated the list of servers of management through P2P networks, - Shuvenberg told. - The fact that TDL has two separate communication channels will make very much difficult switching off of this botnet".

By Kaspersky's estimates, botnet TDL-4 consists of more than 4.5 million infected computers under Windows OS. "TDL is a business, and its purpose - to remain on the PC as long as possible", - Stewart considers, referring to technologies which make almost impossible switching off of a botnet. He noted that success of TDL-4 also that it resists to attacks of other malware.

Creators of TDL-4 use a botnet for introduction of the additional malware on computers, its delivery, for this purpose, in lease to other persons and carrying out the attacks causing failure of service of systems (DDoS attack) and also for carrying out spam - and phishing campaigns. "In all cases and intentions, TDL-4 it is very difficult to delete, - Stewart considers. – Definitely, it is one of the most difficult botnets".