Security and operating system companies have been very successful in the last year of taking down major botnets, networks of malware-infected PCs that can act in unison under remote control to perform distributed denial of service (DDOS) attacks and send huge volumes of spam email. Now a new botnet, named TDL, has been discovered that is very difficult to detect and shut down.
Over four and a half million PCs have become infected with the TDL trojan in the last three months. In a report on the new botnet, security researchers at Kaspersky labs said "The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and anti-virus companies."
TDL installs itself into the Master Boot Record of Windows, where anti-virus programs often fail to look and uses a new encryption method for protecting communication between the infected PC and the operators. This makes it very difficult to trace the traffic from the PC and locate the people controlling the botnet.
In addition, this botnet doesn't use direct communication between machines, but instead uses a peer-to-peer system, such as those used in file sharing. This decentralises the communication, making it even harder to trace.
In their report the researchers said "It's definitely one of the most sophisticated botnets out there."
The majority of infections so far have been reported in the USA (28%) with India second in the infected list at 7%. The infection rates are rising sharply though, and there's been no reporting yet from Microsoft on whether the enhanced protection and security in Windows 7 will help defend against infection.
It's clear that the best way to fight the TDL trojan so far will be in individual machines, though it is still common for millions of people to leave their computers open to infection by not understanding the risks involved and how they can protect against them.
There are also still millions of people running Windows XP still and the hugely insecure Internet Explorer 6 web browser. This will aid the distribution and infection rates for TDL. Finally it is critically important that people have Windows Update activated on their computers.
The trojan has been distributed via booby-trapped websites. It has so far been discovered lurking on porn and pirate movie websites, along with some sites offering storage for photos and video files.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.