Indestructible TDSS botnet is spotted

LOCK DOWN YOUR COMPUTERS and hide your womenfolk and kids, there is a new botnet in town and it sounds like the worst one yet.

According to the Russian security pros at Kaspersky the botnet, which it's given the name TDSS, is particularly sophisticated, and thus it represents a particularly significant threat.

"The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today," reports the firm in a new warning about the botnet.

"TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system."

The botnet's name has changed since it first appeared in 2008 as TDL, and so have its capabilities. Kaspersky said that it was sold in late 2010 and has since reappeared along with a new way of doing business.

"The changes in TDL-4 affected practically all components of the malware and its activity on the web to some extent or other. Affiliates receive between $20 to $200 for every 1,000 installations of TDL, depending on the location of the victim computer," said the security firm.

"Affiliates can use any installation method they choose. Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services. The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers."

This adds up to a botnet that is "essentially indestructible", it explained, and it's protected against attacks from competitors, and more importantly, anti-virus software.

More than four million infected PCs could make up the botnet, according to Kaspersky, and around a third of these are thought to be in the US. The estimated value of this pool of infected computers is put at £155,000. The UK is thought to have around five per cent of the affected machines.

Perhaps most alarmingly, the incredibly high number of infected computers, actually over 4.5 million of them by now, only started appearing over the last three months, showing that this indestructible botnet is as fast spreading as it is powerful.

Or, as powerful as we think it is. Over at Guidance Software, another security firm, there are also warnings, but they are less 'tin foil hat'.

"This latest example will do nothing to allay fears amongst those still relying on traditional firewalls and antivirus methods to protect their systems, since it's ever apparent that these measures are not enough to combat the problem," said Frank Coggrave, general manager at Guidance.

"What needs to be remembered is that today's attacks are not 'indestructible' but they are very good at hiding, so just like a doctor wouldn't use a sticking plaster over something that requires an invasive operation, AV solutions cannot penetrate the modern threat landscape. Only a forensic approach can successfully uncover today's concealed threats." Good advice, we think. µ