June 30, 2011, 4:06 PM — If it's possible to judge the quality of a technology product by the speed with which it's adopted and the market share it manages to capture, the world's leading bit of malware is one so virulent and effective that it's built at least one botnet with more than 4.5 million infected computers, a weapon analysts are calling "practically indestructible."
The bug is a family of rootkit variants known as TDSS, TDL or as Alureon after the core modules of its rootkit.
Kaspersky Lab researchers backtracking infections were able to penetrate three servers distributing the rootkit and controlling machines infected with it. They found more than 4.5 million IP addresses of machines infected with TDSS during 2011 alone.
TDSS is not only highly infectious, it's highly competitive – on commercial grounds.
After installing itself in the master boot record of a PC so it can load before other programs and before some boot-up subroutines, TDSS hunts down and destroys more than 20 other types of malware to give itself uncontested control over the infected machine.
Eliminating other malware reduces the chance that the owner of an infected machine will notice the effect of one virus or the other and do a cleaning that will eliminate them all, Kaspersky researchers wrote.
It also leaves TDSS in sole control of the illicit activity of that machine, making each botnet node more valuable, they wrote.
Then it turns the new zombie into an anonymous proxy, which Kaspersky researchers found being sold for $100 per month to customers who want to cover their tracks online.
VPNs and proxy servers are becoming more common commercial services as netizens become more wary of being tracked online. The cost of legitimate services is between $5 and $25 per month for the proxy services that aren't free.
Anyone willing to pay $100 per month for a proxy is hiding a lot more than embarrassing search terms on YouPorn. Most likely they're going to spammers or crackers setting up their fake virtual neighbors to attract whatever attention results from heavy spam generation or attempts to crack high-profile targets like the U.S. Senate, CIA or FBI.
TDL is in version 4, which includes a list of features that would do credit to any commercial app that's been around a similar time (three years). TDL-4 supports 64-bit OSes, P2P networking, has the ability to avoid both commercial and proprietary anti-virus, and uses a much higher-level algorithm to encrypt communication with command-and-control servers.