Malicious software programs like TDSS (another term for TDL), as detected by Kaspersky Lab products, are the most advanced and perfected tools today in the arsenal of cybercriminals. This particular example of malware uses sophisticated methods to infect a system, hide its tracks, control the respective PC remotely and prepare it for installation of other malicious programs. The diverse capabilities of TDL have allowed its author to create a botnet made up of millions of personal computers.
Experts at Kaspersky Lab investigated the behavior of a new version of the TDL-4 malicious program and evaluated its new capabilities, among which are the use of peer-to-peer networks for controlling infected computers, and functions for opening a proxy-server. The analysis of TDL-4 undertaken by Kaspersky Lab experts Sergey Golovanov and Igor Sumenkov has allowed them to determine the new capabilities of the malware and to estimate the number of infected PCs. Changes in TDL-4 have been aimed at building a botnet which is as well-hidden from competitors and anti-virus companies as possible, and which theoretically provides access to infected machines even upon closing all the command centers.
In particular, TDL-4 can now delete around 20 of the most popular competing products on an infected machine, among them such widespread programs as Gbot, ZeuS, Optima and others. Besides, TDSS itself installs on a PC around 30 utilities, including fake anti-virus programs and systems for both increasing advertising traffic and distributing spam. One of the most significant new additions to TDL-4 is the possibility to infect 64-bit operating systems. To control the botnet – besides the command servers – for the first time the Kad public file exchange network is being used. Another new function of TDL-4 is the possibility to open a proxy-server. Cybercriminals offer anonymous access services via infected computers, charging for such a service around 100 dollars per month.
Like previous versions, TDL-4 is distributed mainly with the use of so-called partner programs. The authors of the malware do not expand the network of infected computers themselves; instead they pay third parties for that. Depending on the particular terms and conditions, partners are paid from 20 to 200 US dollars for the installation of 1000 malicious programs.
Despite the protective measures in place on the controlling servers, the experts of Kaspersky Lab managed to extract general statistics on the number of infected computers. Analysis of the obtained data shows that in just the first three months of 2011 TDL-4 helped infect more than 4.5 million computers around the world, with a large proportion of those being situated in the US. Taking into account the above-mentioned price rates for the distribution of malware, one can estimate the approximate expenditure of cybercriminals on the creation of a botnet made up of American users: around 250 000 dollars. “We don’t doubt that the development of TDSS will continue,” said the experts who carried out the investigation. “Malware and botnets connecting infected computers will cause much unpleasantness - both for end-users and IT-security specialists. Active reworkings of TDL-4 code, rootkits for 64-bit systems, the launch of a new operating system, use of exploits from the Stuxnet arsenal, use of p2p technologies, proprietary “anti-virus” and much much more make the TDSS malicious program one of the most technologically developed and most difficult to analyze.”
The full version of the TDL-4 investigation can be found at the site securelist.com.