Skip to main content

"Indestructible" Superbotnet With 4.5 Million PCs Unearthed

Sergey Golavanov, a Kaspersky Labs researcher, has detected a new iteration of the TDSS malware which he claims is the "most sophisticated threat" to computer security in the world, and has apparently been used to take over more than 4.5 million computers in what is by far the biggest botnet in the world.

This is roughly six times the size of the Rustock botnet which had hitherto been considered as one of the most successful botnets in the world with over 800,000 Windows PCs.

Golavanov said (opens in new tab), "TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center".

The fourth version of TDSS, known as TDL-4, goes beyond the call of duty and even includes what Kasperky Labs describes as an anti-virus that tries to eradicate other malicious malware that could potentially compete or have a negative impact on how the infected computer performs.

TDL-4 scans the PC's registry looking for specific file names, blacklists the IP addresses of the C&C centers of other botnets from a list of around 20, thereby cutting their communications and making them useless; in addition, it also downloads additional malicious programs itself.

Golovanov also added that the botnets relying on TDL-4 were virtually indestructible because of the extent of its deep integration within the slaved system, the fact that it uses encrypted network connections between the infected PCs and the command and control botnet servers, and its ability to transmit commands to a botnet via the publicly available P2P kad network through a kad.dll module.

Of the estimated 4.5 million infected computers detected in the first quarter of 2011, more than a quarter were located in the US and about five per cent in the UK, a frightening statistic given that TDSS has been around since 2008.

Golovanov also highlights how TDSS uses a module to fraudulently manipulate advertising systems and search engines using fake click and traffic technologies with what the Security Expert calls the longest list of search engines amongst malware kits out there.

Ominously, he ends his post by saying "TDSS and the botnet that unites all the computers it infects will continue to cause problems for users and IT security professionals alike. The decentralized, server-less botnet is practically indestructible, as the Kido epidemic showed."

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.