Stories about indestructible TDL-4 botnet "alarmist" says Kaspersky

The company that uncovered what has been called an ‘indestructible botnet' has criticised some stories about the problem as "alarmist".

Kaspersky Lab said that TDL-4 is with out a doubt "the most complex and sophisticated attack" Kaspersky has seen to date; but the company said it had already developed a tool, the "TDSS killer", that would remove the malicious software.

Ram Herkanaidu, senior security researcher with Kaspersky, told Computeractive that stories had misinterpreted the company's reports and people should not panic.

"Some reports have been alarmist. What we actually said was the owners of this malicious software, which is the fourth strain of the TDSS rootkit, were trying to create an ‘indestructible' botnet, not that it was indestructible."

Kaspersky said provided people ensured their security software, plus all patches and updates for their operating system (OS) and third-party apps were up to date, TDL-4 should not be able to infect a PC.

TDL-4 is a rootkit; malicious software that tries to hide from the system and evade detection. Computers infected with TDL-4, become part of a large network of infected PCs, known as botnets.

These botnets are then hired out to other criminals in order to carry out criminal activities such as sending out junk email or fake anti-virus software.

TDL-4 is not being distributed by its creators, who are paying other people up to $200 per 1,000 infections to do this. These partners spread TDL-4 using drive-by-downloads. This is where they infect websites, often legitimate sites, with TDL-4 and if someone visits the site.

It is believed that visitors to pornographic, file sharing and file and video storage sites are particularly at risk. The rootkit will then look for vulnerabilities or unpatched flaws in the victim's Windows OS or third parties applications such as Java or Adobe.

It is a very sophisticated and intelligent design, according to Kaspersky, because it can bury itself deep into the PC, concealing itself within the Master Boot Record. It loads before the OS and is thus able to evade detection from the OS and security software.

TDL-4 also acts like a Trojan, allowing other malicious software to be downloaded to an infected PC. However, it will rid a PC of any rival malware and currently it is known to kill off around 20 other malicious programmes, including the Zeus Trojan.

"What it does not want is competing malware that also tries to create a botnet. If a criminal wants to steal banking information or other personal information they will have to get a keystroke logger or similar malware," said Mr Herkanaidu.

To make matters worse for the security firms, TDL-4 also encrypts messages and uses file-sharing sites to transmit these back to the owners of TDL-4.

Most major security vendors can protect against TDL-4. Kaspersky and Bitdefender have both developed free tools that people can use to find and remove the Trojan if they are concerned.