So this time we are dealing with a botnet which has been termed “Practically Indestructible” by Kaspersky Labs. Although this statement really sounds surprising but facts are facts and cannot be changed. The TDL malware family currently has TDL 4 (fourth generation) as its latest inventions. It dates back from the Aleuren rootkit which started back in 2006 and has lately earned the name of “the most sophisticated threat today”. It specializes in the tricks in the box to remain hidden and evade antivirus detection. To add more to the problems, the communications are totally encrypted. It contains a rootkit component for malicious user control and is capable of forming botnets for carrying various offensive attacks like Ddos, spamming, spyware etc. This bot is well known for hiding in the master boot record of the system and gains control during the booting process. One of the first versions were detected by Kaspersky Labs were in 2008 as Rootkit.Win32.Clbd.a similar to the names of the driver clbdriver.sys, clbdll.dll, which deliver the main payload. It has been specially designed for profit since the authors pay $20-$200 per 1000 bots of infected machines. These are then rented out to others as a botnet for malicious purposes as defined above. It is equipped to wipe off any other malwares which may be previously there on the infected computer to avoid competition from other malwares.
The communications in TDL 4 take place using the Kad Network. The kad network is a peer to peer network which implements the Kademlia P2P Protocol which is a distributed hash table for decentralized peer to peer networks. The nodes communicated with themselves using UDP in a virtual or overlay network formed by the participant nodes. The TDL attackers may as well manipulate the nodes.dat file to segregate TDL infected bots from other computers on the Kad network. The TDL is also known for downloading other malwares, pornographic and copyright stuff onto the infected machines. The best part of the communications being on a peer to peer network is that there is no centralized server and the communications are distributed in nature. So if any one server gets caught in the act or blacklisted we still have a lot of nodes up in there.
Infection Analysis/Modus Operandi
The TDL is known to be spread by fake blogs, pornographic websites and malicious URLs. The trojan has also been found in peer to peer downloads, torrent files, software crack exe’s and a lot of good websites which have been owned in the act and planted with these exploit downloads.
Functionality of the TDL
· Generating web traffic
· Installing pay per install software
· Generating sales lead for other websites
· Manipulating web search results to redirect users to malicious sites
· Displaying bogus pop up advertisements
· Downloading other malicious softwares, malwares to increase infection on the system
· Protecting the registry keys and files which might be critical
· Injecting malicious code in various system processes as well as hiding networking ports
TDL BSOD Incidences
MS10-015 / KB977165 patches by Microsoft caused the relative virtual addresses to be changed for certain APIs thereby calling invalid addresses. This in turn caused blue screen of deaths for the systems having infected driver files such as atapi.sys. To add in to the confusion the user was stuck in an infinite loop of system restarts since the system failed to start on because of the infected driver file. Even the safe mode option did not work and the infected user was left alone to reinstall the infected driver to restore his usability.
Few of the common drivers which got infected by TDL other than atapi.sys are - iastor.sys idechndr.sys ndis.sys nvata.sys vmscsi.sys.
Removal tools by various Antivirus Vendors
· Backdoor.tidserv removal tool by Symantec
· Removal tool by Bitdefender
· Kaspersky TDSS Killer
Suspected Ip address and domains
As per symantec’s research, listed here are a few ip addresses for which access should be blocked using a firewall on the user computer