TDL-4 is the fourth-generation version of the well-known TDSS a.k.a. Alureon Trojan, responsible for infecting a vast number of PCs around the world. The TDL- is one of the most active and resilient botnets currently conducting operations around the world. In the first three months of 2011, over 4.5 million computers were infected with TDL-4, with 28% of these computers being located in the United States.
When installed, TDL-4 creates a rogue file system at the end of the infected computer’s disk, which it heavily encrypts and stores its files on. Additionally, it is able to bypass the low-level driver signing requirement of 64-bit editions of Windows by installing itself in the master boot record (MBR) of the system drive, subverting the normal booting process in order to run its own unsigned malicious code. Once TDL-4 is installed on a machine and present in the MBR, it not only disables Windows Update and various antivirus products, but it removes or disables many other known types of similar malware such as Zeus or Optima to reduce competition as well as ensure that there are no undesirable interactions with such malware. Malware that exhibits such stealth behavior and low level interaction is called a “rootkit” (and a kernel-mode variant such as TDL-4 is called a “bootkit”).
Perhaps the most interesting feature of TDL-4 is the complex P2P network that its botnet uses for inter-bot and command and control (C&C) server communication. TDL-4 bots are able to communicate with each other and with C&C servers (of which around 60 have been discovered) using the public P2P Kad file sharing network and heavy encryption. Generally speaking, dismantling a botnet often involves the disabling of C&C servers as seen in the past during the dismantling of the Mariposa and other large botnets. As the TDL-4 botnet has both C&C servers as well as inter-bot communication abilities across a public P2P network (and incredibly advanced stealth techniques including custom encryption), many are calling it the “indestructible botnet”.