A botnet has been described as the most complex and sophisticated seen in some time.
Named the TDL-4, it can control up to four million computers and has capabilities including encrypted communications, a peer-to-peer network for sending commands to control infected computers and a proxy server functionality to enable users to sell anonymous internet access through infected computers.
Analysis by Kaspersky Lab determined that its recent changes have been aimed at building a botnet which is well-hidden from competitors and security software, and theoretically could provide access to infected machines even upon closing all the command centres.
Research also found that TDL-4 has so far downloaded and distributed around 30 different malware variants. It uses the Kad public file exchange network to send commands and allows use of the computers in the botnet as proxy-servers.
Kaspersky Lab claimed that in the first three months of 2011, TDL-4 infected more than 4.5 million computers around the world, particularly in the US. It is being offered for us at around £62 a month and malware authors are not expanding the network of infected computers themselves; instead they pay third parties to do it.
Depending on the particular terms and conditions, partners are paid from £12 to £125 for the installation of thousands of malicious programs.
Kaspersky Lab researchers Sergey Golovanov and Igor Sumenkov, said: “We don't doubt that the development of this botnet will continue. Malware and botnets connecting infected computers will cause much unpleasantness for both end-users and IT security specialists.
“Active reworkings of TDL-4 code, rootkits for 64-bit systems, the launch of a new operating system, use of exploits from the Stuxnet arsenal, use of p2p technologies, proprietary ‘anti-virus' and much more make this one of the most technologically developed botnets and most difficult to analyse.”
Frank Coggrave, general manager for EMEA at Guidance Software, said: “The TDL-4 botnet is a prime example of an increasingly commonplace attack, specifically designed to burrow deep beneath top layer anti-virus defences. This latest example will do nothing to allay fears amongst those still relying on traditional firewalls and anti-virus methods to protect their systems, since it's ever apparent that these measures are not enough to combat the problem.
“What needs to be remembered is that today's attacks are not ‘indestructible', but they are very good at hiding. Anti-virus solutions cannot penetrate the modern threat landscape. Only a forensic approach can successfully uncover today's concealed threats.”