Analysts calm fears of indestructible TDL4 botnet

Analysts calm fears of indestructible TDL4 botnet


Fears over a recent malware outbreak described by one firm as “practically indestructible” have been quelled by other security analysts who noted there is a simple method to stop it spreading.

Dubbed TDL4, the malware was the subject of a recent report from Kaspersky Lab which characterised the malware as “the most sophisticated threat today”.

A variant of TDSS, a malware platform which has been known to the security world for several years, the TDL4 sample is renowned for being more difficult to detect than other systems.

The malware uses an attack technique known as a “bootkit” to infect a machine’s boot sector early in the startup process, and so avoid detection from some security tools.

Kaspersky noted the TD4 variant uses encrypted communications systems to connect infected systems to the botnet‘s command and control centre along with a peer-to-peer communications model. This allows it to infect machines without the need for a central server.

The techniques have created what Kaspersky researchers see as a botnet which may be impossible to eradicate.

TDSS and the botnet that unites all the computers it infects will continue to cause problems for users and IT security professionals alike,” the company said.

“The decentralised, server-less botnet is practically indestructible.”

Despite the sophistication of the botnet, however, fears of an unstoppable TDL4 malware outbreak appear to be misguided.

Security vendor Trend Micro has long followed the TDSS malware family and the company has been studying TDL4 in recent weeks.

Threat research manager Jamz Yaneza likened the early worries over the TDL4 outbreak to the 2010 Conficker malware scare.

He told that while the malware botnet itself can be difficult to detect and remove, such bootkit infections can in fact be neutralised by Microsoft’s own system tools.

Yaneza explained that by using repair tools found on the Windows system restore disk, users can repair the boot sectors targeted by the attack.

He said that while some code from the infection will be left behind, the remnants would be harmless and are typical to what is often found when a bootkit infection is neutralised.

“Certainly a rebuilt system would aspire more confidence. However, if the affected systems require critical up-time and no back-up systems are in place, then doing so takes much productivity from the user,” he said.

“For those that decide to keep on going, the advice is to do routine checks and steps to ensure integrity of these systems.”

While the company has yet to fully test the fix on all systems, Yaneza said the technique has proven effective for removing infections on Windows XP systems.

From :

Share this article if you found it was useful:

Blogger at Love PHP, offensive security and web. Contact him at me[-at-]

See all posts by || Visit Website :