DDoSPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

Security Research Center

TDL-4 (Alureon)

TDL-4 is the fourth-generation version of the well-known TDSS a.k.a. Alureon Trojan, responsible for infecting a vast number of PCs around the world. The TDL- is one of the most active and resilient botnets currently conducting operations around the world. In the first three months of 2011, over 4.5 million computers were infected with TDL-4, with 28% of these computers being located in the United States.

When installed, TDL-4 creates a rogue file system at the end of the infected computer’s disk, which it heavily encrypts and stores its files on. Additionally, it is able to bypass the low-level driver signing requirement of 64-bit editions of Windows by installing itself in the master boot record (MBR) of the system drive, subverting the normal booting process in order to run its own unsigned malicious code. Once TDL-4 is installed on a machine and present in the MBR, it not only disables Windows Update and various antivirus products, but it removes or disables many other known types of similar malware such as Zeus or Optima to reduce competition as well as ensure that there are no undesirable interactions with such malware. Malware that exhibits such stealth behavior and low level interaction is called a “rootkit” (and a kernel-mode variant such as TDL-4 is called a “bootkit”).

Perhaps the most interesting feature of TDL-4 is the complex P2P network that its botnet uses for inter-bot and command and control (C&C) server communication. TDL-4 bots are able to communicate with each other and with C&C servers (of which around 60 have been discovered) using the public P2P Kad file sharing network and heavy encryption. Generally speaking, dismantling a botnet often involves the disabling of C&C servers as seen in the past during the dismantling of the Mariposa and other large botnets. As the TDL-4 botnet has both C&C servers as well as inter-bot communication abilities across a public P2P network (and incredibly advanced stealth techniques including custom encryption), many are calling it the “indestructible botnet”.

DDoSPedia Index

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support

Get Social

Connect with experts and join the conversation about Radware technologies.

Radware Blog
Security Research Center