I wrote about the TDL4 rootkit malware threat for 64-bit Windows users back in April of this year. Our friends at Kaspersky have today (30th June) claimed they have penetrated the command and control servers of the underground botnet. TDSS (also referred to as TDL or Alureon) as I’ve discussed in the past is very aggressive in that it continues to propagate and develop more complex and harmful infection elements/attack vectors. So far, TDSS has infected 1.5m IP PCs in the US and 3m more worldwide. This is one mighty improvement on TDL3! TDL4 even removes other botnets from your PC! Nice work. But it replaces it with a botnet that is right now, very difficult to remove. 🙁
The TDL rookits are spread by via affiliate networks, booby trapped websites, adult websites and torrents (P2P). Right now I’d be extra careful when visiting or downloading content from these types of websites. TDL’s core programming focuses on the master boot record on a PC, which as I described in my April post, loads before any other program. 🙁 Kaspersky have noticed that a kad.dll component appears to allow TDSS/TDL4 to control bots using the Kad P2P file exchange network, even if the primary encrypted channel has been shut down by rival botnet owners or AV vendors. Additionally, the TDSS developers have helped to sell this as a ‘botnet-as-a-service’. Nasty.
If you are infected with the TDL4 bootkit, here is some further reading:
Safe surfing folks!