If there's one point that the detailed analysis of the TDL4 or TDSS botnet by Sergey Golovanov and Igor Soumenkov of Kaspersky Labs revealed, it is that criminals are expanding into Malware as a service or MaaS.
Some analysis was done by an employee of Kaspersky Labs' rival, Paul Ducklin, who is the head for Sophos in the APAC region; he stated that the "TDL rootkit family is, indeed, one of the trickiest rootkits around" and that the latest version was "particularly sneaky".
He notes how the technology behind the rootkit family is heavily guarded, that it is a closed source, a proprietary set of bytes and in some aspect, a genuine trade secret that can earn its owners a fortune.
Duckling points out rightly that you cannot buy the source code per se and that you can only rent time on a botnet that is built using the TDL4 toolkit, in essence replicating the business model of Software-as-a-Service.
The owners of the rootkit go to great lengths to make sure that its turf, which is literally the millions of computers that are part of its army, are protected from other rogue malware.
The defence mechanism includes its own antivirus to take out other competing malware and eliminate the risk of potential conflicts as well as the use of public P2P networks to link the slave computers to Command and Control servers.