It appeared in 2008, pulling itself out of the mire of malware ecology to quickly become dominant in its niche. Originally named TDL by its creator—identified as TDSS by Kaspersky Labs—the malware eventually became to grow into a botnet known as TDL-4 (the most recent variation.) It has a pool of infected computers 4.5 million strong and supports some extremely unique features from the ability to encrypt its transmissions, hide from detection by infecting the boot records of the computer, and it even hunts and destroys other viruses infecting the system.
Kaspersky Labs have dubbed the network that this malware generates as “almost indestructible.”
Of course, this doesn’t mean that software doesn’t exist that cannot clean it out; it just means that it’s extremely difficult to detect and harder to take over from the original owners.
To communicate with itself (and spread further payloads) the malware uses peer-to-peer networking to detect other copies nearby and update itself. Like a terrorist cell hiding within a computer, TDL-4 sneaks out while the computer it communicating and pokes around for friends, when it finds them, it uses HTTPS (encrypted communication) to hold conversations. Once it finds enough friends, it can be hooked into the command and control network which only needs to speak to a few of the infections in order for the commands to propagate through the peer-to-peer network to all the infected computers.
When TDL-4 infects a computer it spends a lot of time hiding itself from detection. It does this by infecting the boot sector (i.e. the first thing to run with a computer is activated) so that it can get itself up and running and hidden before any antivirus is active. It also encrypts its contents and tries its best to pretend to be something else. The best part of its infection, however, is that it takes the ecology of kill-or-be-killed to the next level and tries to find other infections on the system and clean them out.
While TDL-4 has sophisticated mechanisms for staying hidden from antivirus and thus extending its lifetime; other malware may leave behind telltale traces of its infection that are much more easily detected. As a result, having other malware on the system increases the chances that TDL-4 might be uncovered while cleaning out the other viruses. So it preemptively kills other less secure viruses.
The United States is a primary breeding ground for this infection
According to research by Kaspersky Labs, the US represents 1/3rd of TDL-4 infections across the world.
Despite the steps taken by cybercriminals to protect the command and control centers, knowing the protocol TDL-4 uses to communicate with servers makes it possible to create specially crafted requests and obtain statistics on the number of infected computers. Kaspersky Lab’s analysis of the data identified three different MySQL databases located in Moldova, Lithuania, and the USA, all of which supported used proxy servers to support the botnet.
Viruses can run, but they can’t hide. Eventually they must phone home (or home phones them) in order to receive instructions and drop off their payloads. Much of malware is run for profit–not just for scriptkiddies to make DDoS attacks against random websites–and often it’s used in combination with spam relays, keyloggers to steal passwords and credit card information, and for other nefarious means.
Expect TDL-4 and TDSS to Get Smarter
As virus writers continue to examine and exploit Internet technology, it will find its way into more and more malware software. This variation which uses encryption, P2P technology, secure communication, and even its own antivirus behavior represents the current pinnacle of malware development—however, the researchers at Kaspersky Labs believe that it will only continue to evolve.
This malware primarily infects PCs, but with the increasing power and capability of smartphones (and Android becoming a target) we can probably expect some to start appearing there as well.
The struggle between security researchers and malware developers is a Red Queen race.