One of my favourite Bash.org quotes is “
This nasty piece of work infects the MBR (Master Boot Record) of any PC that it manages to get installed onto, and then joins up with a massive peer-to-peer botnet. What makes it so sophisticated is the number of interesting features that its makers have built into it.
Firstly, the fact that it installs itself into the MBR makes it difficult for the Operating System or any antivirus or security software to detect the malicious code, since it loads before the Operating System and is able to take measures to hide itself.
This isn’t a particularly new feature for any virus or trojan, but it is one of many strengths. An advanced encryption algorithm ensures that security and anti-virus products are unable to ‘sniff’ packets that it sends out onto the network. This helps to cloak the type of information that is being sent from C&C (Command and Control) servers, and the information being returned by the trojan.
Hold on a minute. Surely you can just track down the C&C servers and put an end to things there? Not possible. TDL-4 makes use of a public peer-to-peer network called Kad. The Kad network is not used to share files, but rather for storing meta information, so the actual volume of traffic on this network is relatively low.
Most viruses and trojans, so far, have created their own closed P2P networks, but that has meant that antivirus vendors can use honeypots to get into the network and then build up a database of all of the infected IP addresses. However, by using a public network, it becomes very difficult to detect which of the hosts on the network are infected and which are legitimate users of the network. Furthermore, as a P2P network, it becomes almost impossible to strip down the network, since there are no central servers and any computer that connects the network as a node will keep it running.
Any attempt to take down the regular C&Cs can effectively be circumvented by updating the list of C&Cs through the P2P network. Furthermore, any C&C has a means to directly communicate over the encrypted channel to any host, so that it is virtually indestructible. But there is something else about this trojan that is also interesting.
TDL-4 hunts down other malware installed on any of the hosts that it infects, and disables it. So it effectively acts as a form of anti-virus that helps to protect the host that it has infected. This helps to improve its stealth. By disabling competing malware, it makes it less likely that anti-virus or security software will pick up any other infection on the PC that will prompt further investigation that may expose TDL-4.
Just because it removes competing viruses doesn’t mean its friendly. TDL-4’s makers use the botnet to install additional malware on PCs for short periods to perform distributed denial-of-service (DDoS) attacks, and to conduct spam and phishing campaigns. When they have finished a campaign or attack, they simply use TDL-4 to remove any traces of the program that they used for that purpose. Antivirus vendor, Kaspersky, has suggested that TDL-4 has installed nearly 30 different malicious programs onto the PCs it controls.
I don’t know if its fair to call TDL-4 indestructible, but it is very cleverly designed and it is unlikely to go away soon. If you’re running a PC and you are using a Windows operating system, you will do the world a favour if you do what you can to check that you’re not infected on a regular basis. Fire up something like GMER and check that your MBR hasn’t been modified against your will. Download Kaspersky’s TDSSKiller and make sure your computer is clean. Don’t let the end guy beat you!