Our analysis, “TDL4 – Top Bot” by Sergey Golovanov and Igor Soumenkov, has rightly been getting a lot of attention. It’s an excellent analytical article which uncovers a very sophisticated and complex malware TDL-4 which is the latest version of TDSS.
Some commentators and other security researchers however, focusing on our use of the word “indestructible” in the article, seem to think that we believe the malware is indestructible. This is clearly not the case – that’s why we put the word in inverted commas. In fact, our own TDSS Killer can remove the malware.
The key line from the article is, “The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies.”
It is the botnet which the owners want to bullet proof. To help achieve this TDL-4 uses its own encryption algorithm for communication between infected computers within the botnet:
“The new protocol encryption algorithm for communications between the botnet control center and infected machines ensures that the botnet will run smoothly, while protecting infected computers from network traffic analysis, and blocking attempts of other cybercriminals to take control of the botnet.”
On top of this, it uses a publicly accessible file exchange network, the KAD network for peer to peer communications between infected computers. In this way even if the command and control servers are shut down the owners of the botnet will still be in control of the botnet.
Hopefully this has cleared up any misunderstandings relating to the article.
2011 Jul 05, 02:57
BBC report was misleading, in that case
I read a BBC online report of this, quoting a Kaspersky expert. The "indestructible" nature of the bot seemed to be a quote of what the Kaspersky source had said. Very misleading and certainly gave the impression that Kaspersky had *not* come up with a solution.