'Indestructible' Malware Strain Infects Millions of PCs

/ Source: SecurityNewsDaily

A new strain of super malware infected more than 4.5 million PCs in the first three months of 2011, and shows no signs of slowing down.

The malware, a rootkit variously called TDSS, TDL or Alureon, has been active since 2006, continually evolving and growing more powerful. Due to its devious and damaging capabilities, it is nearly impossible to detect and has been called "indestructible" by researchers at the security firm Kaspersky Lab.

Its newest variant, TDL-4, is "the most sophisticated threat today," Kaspersky wrote. Often hidden on adult content and bootleg websites, as well as file-storage services, TDL-4 infected 4,524,488 computers around the world from January through March of this year.  A quarter of them were in the United States, the most lucrative market for cybercriminals.

Once it worms its way into users' systems by bypassing authentication protocols, TDL-4 opens a "back door" to cybercriminals, making it possible for them to load keystroke loggers, adware and a host of other malicious programs onto the infected computers.

TDL-4 allows attackers to remotely take over infected systems, manipulate search engines and act as "a launch pad for other malware," Kaspersky Lab wrote.

Like other rootkits, TDL-4 inserts itself into the kernel, the main program at the heart of a computer's operating system, making it extremely difficult to detect or remove.

Microsoft shielded Windows 7 against rootkits by demanding that all new software show digital certificates signed by trusted sources before installation.

But TDL-4 has gotten around this obstacle.  It now infects the master boot record of a PC, the section of the hard drive that the computer reads when starting up, and alters Windows 7 upon loading to permit unauthorized software installations. TDL-4 is present before the computer is even up and running.

"I wouldn't say it's perfectly indestructible, but it is pretty much indestructible," malware expert Joe Stewart of Dell SecureWorks told Computerworld. "It does a very good job of maintaining itself."

TDL-4 encrypts the protocol used for communication between infected computers and the command and control servers of the master botnet — a massive network of Internet-connected computers programmed to distribute spam and malware and launch cyberattacks.

This encrypted connection makes TDL-4's botnet communications difficult to detect, and even more difficult to slow down the malware's spread.

TDL-4 also does a security scan of its own, seeking out and destroying competing viruses, Trojans and worms in order to dominate the environment and lull the PC user into thinking everything's OK.

Finding TDL-4 on an infected system is a little like detecting a black hole in outer space — you can't actually see it, but you can observe its distorting effects upon system processes and network traffic. Removal involves several steps, including running Windows Recovery Console from a CD to rewrite the hard drive's master boot record.

It is "one of the most technologically sophisticated, and most complex to analyze, [pieces of] malware," Kaspersky Lab wrote.

Preventing infection is a bit easier. Because TDL is fairly well known, many anti-virus (AV) software suites prevent infection — but users need to be sure to keep their AV software updated. Paul Ducklin of Sophos Labs pointed out that keeping administrator privileges turned off on a PC will also bar TDL from installing.

Despite its prominence, and the threat it poses to computers all over the world, there's one place where TDL-4 has infected no systems at all.

"Remarkably, there are no Russian users in the statistics," Kaspersky Lab wrote. This is because, as researchers explain, the cybercriminals that pay to have their spam and malware sent via the botnet "do not offer payment for infecting computers located in Russia."