"Indestructible" Botnet Discovered

Mike Halsey MVP
Jul 1, 2011
Updated • Dec 15, 2014

Security and operating system companies have been very successful in the last year of taking down major botnets, networks of malware-infected PCs that can act in unison under remote control to perform distributed denial of service (DDOS) attacks and send huge volumes of spam email.  Now a new botnet, named TDL, has been discovered that is very difficult to detect and shut down.

Over four and a half million PCs have become infected with the TDL trojan in the last three months.  In a report on the new botnet, security researchers at Kaspersky labs said "The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and anti-virus companies."

TDL installs itself into the Master Boot Record of Windows, where anti-virus programs often fail to look and uses a new encryption method for protecting communication between the infected PC and the operators.  This makes it very difficult to trace the traffic from the PC and locate the people controlling the botnet.

In addition, this botnet doesn't use direct communication between machines, but instead uses a peer-to-peer system, such as those used in file sharing.  This decentralises the communication, making it even harder to trace.

In their report the researchers said "It's definitely one of the most sophisticated botnets out there."

The majority of infections so far have been reported in the USA (28%) with India second in the infected list at 7%.  The infection rates are rising sharply though, and there's been no reporting yet from Microsoft on whether the enhanced protection and security in Windows 7 will help defend against infection.

It's clear that the best way to fight the TDL trojan so far will be in individual machines, though it is still common for millions of people to leave their computers open to infection by not understanding the risks involved and how they can protect against them.

There are also still millions of people running Windows XP still and the hugely insecure Internet Explorer 6 web browser.  This will aid the distribution and infection rates for TDL.  Finally it is critically important that people have Windows Update activated on their computers.

The trojan has been distributed via booby-trapped websites.  It has so far been discovered lurking on porn and pirate movie websites, along with some sites offering storage for photos and video files.


Previous Post: «
Next Post: «


  1. Cheryl said on July 3, 2011 at 5:02 pm

    “Over four million and a half million PCs…”

    Shouldn’t that read

    “Over four and a half million PCs…”

  2. Ryan D. Lang said on July 1, 2011 at 11:50 pm

    I’m going to share this article with my professor. It should be interesting to discuss in class.

  3. us78 said on July 1, 2011 at 7:44 pm
  4. alex said on July 1, 2011 at 5:52 pm

    any detection and removal tool yet?

  5. TRY said on July 1, 2011 at 4:48 pm

    Indestructible! I say FUD.
    Backup everything and relax.
    For possible detection and cleanup there’s always tools for these types of rootkits.
    And yes we can boot Windows system in Linux and clean as well.

  6. SFdude said on July 1, 2011 at 12:26 pm

    Can this live
    in an UBUNTU Linux PC?

    just asking…

    1. Nebulus said on July 1, 2011 at 2:04 pm

      It can probably live in an Ubuntu PC, because it infects the MBR. But it will not be active after booting into Linux, so the problem is half solved. :)

  7. Paul(us) said on July 1, 2011 at 11:22 am

    And live is getting nicer (nastier) and nicer (nastier). Sometimes i wounder what will be the level of protection we will need i 5 – or 10 years.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.