CyberThreats Daily: How destructible is an indestructible botnet?

About a week ago reports of an “indestructible” botnet started coming in. Several researchers warned that the sheer number of infected computers forming the botnet would make it impossible to take down. But is that really the case?

TDL4: Less hype, more history

This is an article by David Harley, ESET’s researcher, on the matter.

Quite rightly, such notables as Paul Ducklin and our own Randy Abrams have poured scorn on the idea of the “indestructible botnet”: indeed, Randy remarked: “Calling the botnet indestructible is tantamount to calling the Internet unsustainable … I suspect that, in time, we’ll discover the ‘T’ in TDL stands for ‘Titanic,’ and a currently unseen iceberg will sink it.”

I don’t think there’s such a thing as an indestructible botnet. TDSS is somewhat innovative. It’s introduced new twists on old ideas like P2P networks and hiding malware – just as previous malware has used sectors marked as bad, slack space, or streams, TDL uses a hidden file system.

It’s also very adaptive, and its use of Pay Per Install (PPI) business model rather like that used for distribution of browser toolbars via affiliates like DogmaMillions and GangstaBucks, as described in our article at, has been very effective – and so has ruthlessly eliminating some of the competition. But there is no indestructible malware. Rather, it’s a war of attrition – threat, counterthreat, counter-counterthreat…. In the long run, though, the security community has one big advantage: it isn’t also hiding from the law, and in fact, we sometimes cooperate very closely with law enforcement and other agencies.

The update of our comprehensive paper on TDL4 and its earlier incarnations has just become available on the ESET white papers page if you care to read more about how it really works.

More TDL4 statistics here.

TDSS: Political botnets

And in an older one, David Harley reveals more details about previous examples of this family of botnets.

There’s more technical detail on this latest variant here, but if you’d like more information on TDL in general, here is a paper by Aleks and Eugene on The Evolution of TDL: Conquering x64 (which is in the process of revision in order to accommodate the new information), and their article for Virus Bulletin on Rooting about in TDSS.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s