New malware market makes it a relief to finally be infected with a really solid product

Version 4 of the TDSS rootkit family is doing bang-up business in stolen computer time

If it's possible to judge the quality of a technology product by the speed with which it's adopted and the market share it manages to capture, the world's leading bit of malware is one so virulent and effective that it's built at least one botnet with more than 4.5 million infected computers, a weapon analysts are calling "practically indestructible."

The bug is a family of rootkit variants known as TDSS, TDL or as Alureon after the core modules of its rootkit.

Kaspersky Lab researchers backtracking infections were able to penetrate three servers distributing the rootkit and controlling machines infected with it. They found more than 4.5 million IP addresses of machines infected with TDSS during 2011 alone.

TDSS is not only highly infectious, it's highly competitive – on commercial grounds.

After installing itself in the master boot record of a PC so it can load before other programs and before some boot-up subroutines, TDSS hunts down and destroys more than 20 other types of malware to give itself uncontested control over the infected machine.

Eliminating other malware reduces the chance that the owner of an infected machine will notice the effect of one virus or the other and do a cleaning that will eliminate them all, Kaspersky researchers wrote.

It also leaves TDSS in sole control of the illicit activity of that machine, making each botnet node more valuable, they wrote.

Then it turns the new zombie into an anonymous proxy, which Kaspersky researchers found being sold for $100 per month to customers who want to cover their tracks online.

VPNs and proxy servers are becoming more common commercial services as netizens become more wary of being tracked online. The cost of legitimate services is between $5 and $25 per month for the proxy services that aren't free.

Anyone willing to pay $100 per month for a proxy is hiding a lot more than embarrassing search terms on YouPorn. Most likely they're going to spammers or crackers setting up their fake virtual neighbors to attract whatever attention results from heavy spam generation or attempts to crack high-profile targets like the U.S. Senate, CIA or FBI.

TDL is in version 4, which includes a list of features that would do credit to any commercial app that's been around a similar time (three years). TDL-4 supports 64-bit OSes, P2P networking, has the ability to avoid both commercial and proprietary anti-virus, and uses a much higher-level algorithm to encrypt communication with command-and-control servers.

It also comes with its own anti-virus, as noted above, to make sure it gets to control which infection controls the machine and to make each "acquisition" more complete.

With installs that clean, cleaning that well thought out and implementation that effective, it's too bad the writers are doing rootkits instead of Windows software.

It would save the rest of us a lot of time troubleshooting and reinstalling so we can just work away with no expectation of trouble until the virus decides to turn us to its nefarious purpose and we have to respond as if as if as if if as if as if if as if as if if as if as if if as if as if if as if as if...say, have you downloaded

this cool file yet?

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies