Follow us on Twitter
Follow us on Facebook4 million strong Alureon P2P botnet "practically indestructible"
@ 2011/07/04Researchers at Kaspersky Labs analyzing the 4.5 million-strong Alureon botnet (also known as TDL and TDSS) have branded it "practically indestructible." Law enforcement agencies have had some success recently at disrupting and bringing down botnets, with Coreflood, Rustock, and Waledac all successfully disrupted. The design of TDL's underlying rootkit is going to make similar retaliatory action much harder to pull of.
TDL-4 has been specifically designed to avoid destruction—whether by law-enforcement, anti-virus software, or competing botnets. On installation, TDL-4 will remove other rootkits, an act which both deprives competing operators of income and reduces the chance that the user will notice that their system is behaving strangely and attempt to repair it. The goal of a rootkit is to remain undetected, and that includes noticing that a computer simply isn't behaving correctly.
To make this hiding more effective, the rootkit infects the system's master boot record (MBR), part of a hard disk that contains critical code used to boot the operating system. Infecting the MBR means that the rootkit code is loaded even before the operating system (let alone anti-virus software) can run; it's another move to make the rootkit harder to detect and remove. The software also encrypts all network traffic to prevent eavesdropping or hijacking by other botnet owners.
TDL-4 has been specifically designed to avoid destruction—whether by law-enforcement, anti-virus software, or competing botnets. On installation, TDL-4 will remove other rootkits, an act which both deprives competing operators of income and reduces the chance that the user will notice that their system is behaving strangely and attempt to repair it. The goal of a rootkit is to remain undetected, and that includes noticing that a computer simply isn't behaving correctly.
To make this hiding more effective, the rootkit infects the system's master boot record (MBR), part of a hard disk that contains critical code used to boot the operating system. Infecting the MBR means that the rootkit code is loaded even before the operating system (let alone anti-virus software) can run; it's another move to make the rootkit harder to detect and remove. The software also encrypts all network traffic to prevent eavesdropping or hijacking by other botnet owners.
