"Indestructible" Superbotnet With 4.5 Million PCs Unearthed

Sergey Golavanov, a Kaspersky Labs researcher, has detected a new iteration of the TDSS malware which he claims is the "most sophisticated threat" to computer security in the world, and has apparently been used to take over more than 4.5 million computers in what is by far the biggest botnet in the world.

This is roughly six times the size of the Rustock botnet which had hitherto been considered as one of the most successful botnets in the world with over 800,000 Windows PCs.

Golavanov said, "TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center".

The fourth version of TDSS, known as TDL-4, goes beyond the call of duty and even includes what Kasperky Labs describes as an anti-virus that tries to eradicate other malicious malware that could potentially compete or have a negative impact on how the infected computer performs.

TDL-4 scans the PC's registry looking for specific file names, blacklists the IP addresses of the C&C centers of other botnets from a list of around 20, thereby cutting their communications and making them useless; in addition, it also downloads additional malicious programs itself.

Golovanov also added that the botnets relying on TDL-4 were virtually indestructible because of the extent of its deep integration within the slaved system, the fact that it uses encrypted network connections between the infected PCs and the command and control botnet servers, and its ability to transmit commands to a botnet via the publicly available P2P kad network through a kad.dll module.

Of the estimated 4.5 million infected computers detected in the first quarter of 2011, more than a quarter were located in the US and about five per cent in the UK, a frightening statistic given that TDSS has been around since 2008.

Golovanov also highlights how TDSS uses a module to fraudulently manipulate advertising systems and search engines using fake click and traffic technologies with what the Security Expert calls the longest list of search engines amongst malware kits out there.

Ominously, he ends his post by saying "TDSS and the botnet that unites all the computers it infects will continue to cause problems for users and IT security professionals alike. The decentralized, server-less botnet is practically indestructible, as the Kido epidemic showed."


Desire worked at ITProPortal right at the beginning and was instrumental in turning it into the leading publication we all know and love today. He then moved on to be the Editor of TechRadarPro - a position he still holds - and has recently been reunited with ITProPortal since Future Publishing's acquisition of Net Communities.