About a week ago reports of an “indestructible” botnet started coming in. Several researchers warned that the sheer number of infected computers forming the botnet would make it impossible to take down. But is that really the case?
TDL4: Less hype, more history
This is an article by David Harley, ESET’s researcher, on the matter.
Quite rightly, such notables as Paul Ducklin and our own Randy Abrams have poured scorn on the idea of the “indestructible botnet”: indeed, Randy remarked: “Calling the botnet indestructible is tantamount to calling the Internet unsustainable … I suspect that, in time, we’ll discover the ‘T’ in TDL stands for ‘Titanic,’ and a currently unseen iceberg will sink it.”
I don’t think there’s such a thing as an indestructible botnet. TDSS is somewhat innovative. It’s introduced new twists on old ideas like P2P networks and hiding malware – just as previous malware has used sectors marked as bad, slack space, or streams, TDL uses a hidden file system.
It’s also very adaptive, and its use of Pay Per Install (PPI) business model rather like that used for distribution of browser toolbars via affiliates like DogmaMillions and GangstaBucks, as described in our article at http://resources.infosecinstitute.com/tdss4-part-1/, has been very effective – and so has ruthlessly eliminating some of the competition. But there is no indestructible malware. Rather, it’s a war of attrition – threat, counterthreat, counter-counterthreat…. In the long run, though, the security community has one big advantage: it isn’t also hiding from the law, and in fact, we sometimes cooperate very closely with law enforcement and other agencies.
TDSS: Political botnets
And in an older one, David Harley reveals more details about previous examples of this family of botnets.
There’s more technical detail on this latest variant here, but if you’d like more information on TDL in general, here is a paper by Aleks and Eugene on The Evolution of TDL: Conquering x64 (which is in the process of revision in order to accommodate the new information), and their article for Virus Bulletin on Rooting about in TDSS.