Security blogs have been running bits about TDSS malware for quite some time, though it wasn’t until the arrival of TDL4 that things really started heating up. Like any other software developers, cybercriminals re-imagine and refine their malware as time goes by — and the TDSS crew clearly put plenty of effort into its most recent release.
There are several interesting aspects of TDL4. For starters, it’s not fond of sharing systems with competing malware. As it turns out, cybercriminals, like a lot of legitimate business people, aren’t fond of the competition. Amazingly, TDL4 actually performs certain anti-malware tasks when it sets up shop on an infected computer, uprooting other crimeware like ZeuS and Gbot. It’s motivations aren’t benevolent, of course. The TDSS gang wants computers under its control and its control alone — in order to deliver fake antivirus software, additional revenue-generating malware, and the occasional spambot. TDSS also broke ground by introducing a 64-bit driver in 2010, something no other malware gang had managed to do at that point.
Another unique feature of TDL4 is that its command and control system doesn’t rely solely on a group of master servers. That’s how most traditional botnets — like Conficker and Coreflood — operate, and it’s a big part of the reason they were able to be dismantled. TDL4 complicates the situation by introducing a failover, a custom-built peer-to-peer system which can pass commands throughout the network. It also features a custom-built encryption system, making it hard to analyze what information is being sent and received.
But perhaps what has had administrators most concerned is TDL4′s obfuscation kung-fu. The trojan makes itself difficult to detect and remove by burrowing into a hard drive’s master boot record. It can then prevent its own post-infection malware additions from being detected by security software and even outfox programs which attempt to clean or repair the MBR to remove the infection. This in turn led many to advise reimaging or reinstallation as the only appropriate way to deal with a TDL4 infection — that’s not much of a surprise, as it’s generally considered a best practice to start from scratch any time a truly nasty trojan or rootkit is found on a system.
An interesting sidenote to the story is that Kaspersky analysts managed to breach databases containing information about TDL-infected systems. In their discussion, Kaspersky’s Igor Soumenkov and Sergey Golovanov revealed that not a single infected system could be found within Russia’s borders. The reason: TDSS is a profit-taking business, and affiliate’s aren’t paid for installs on Russian computers. This could quite possibly be the first geo-restriction I’ve ever heard of that is actually a good thing.
As nasty as TDL4 is, security pros like InfoWorld’s Roger Grimes remind us that eventually the good guys win. In fact, Microsoft has already delivered patches that address vulnerabilities exploited by TDL4 and additional holes will be closed up as time goes on. It will be more interesting to see if a concerted effort can wrest control of the network from its creators and free the more than 4.5 million systems currently in its grasp.